CVE-2023-0955 – This SQL injection vulnerability in the WP Stat... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the WP Statistics WordPress plugin allows authenticated users to execute arbitrary SQL commands. By default, only administrators can exploit it, but the plugin's settings may allow lower-privileged users to access the vulnerable feature.

💻 Affected Systems

Products:

WP Statistics WordPress Plugin

Versions: Versions before 14.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration restricts exploit to users with manage_options capability (administrators), but plugin settings can extend access to lower-privileged users

📦 What is this software?

Wp Statistics by Veronalabs

View all CVEs affecting Wp Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or site takeover

🟠

Likely Case

Data exfiltration from WordPress database tables

🟢

If Mitigated

Limited impact if only trusted administrators have access

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; SQL injection is a well-understood attack vector

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.0

Vendor Advisory: https://wpscan.com/vulnerability/18b7e93f-b038-4f28-918b-4015d62f0eb8

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Statistics
4. Click 'Update Now' if available
5. If not, download version 14.0+ from WordPress.org
6. Upload and replace existing plugin

🔧 Temporary Workarounds

Restrict User Access

all

Ensure only trusted administrators have manage_options capability and disable any settings that extend WP Statistics access to lower-privileged users

Disable Plugin

linux

Temporarily disable WP Statistics plugin until patched

wp plugin deactivate wp-statistics

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to SELECT-only for WP Statistics functionality

🔍 How to Verify

Check if Vulnerable:

Check WP Statistics plugin version in WordPress admin under Plugins → Installed Plugins

Check Version:

wp plugin get wp-statistics --field=version

Verify Fix Applied:

Confirm WP Statistics version is 14.0 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by SQL-like requests to WP Statistics endpoints

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with SQL-like parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (param="*sql*" OR param="*union*" OR param="*select*" OR param="*from*")

📊 Metadata

CVE ID: CVE-2023-0955

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: March 27, 2023

Last Updated: February 19, 2025

🔗 References

https://wpscan.com/vulnerability/18b7e93f-b038-4f28-918b-4015d62f0eb8 Exploit,Third Party Advisory
https://wpscan.com/vulnerability/18b7e93f-b038-4f28-918b-4015d62f0eb8 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON