HTTP: WordPress WP Statistics Plugin SQL Injection
This signature detects attempts to exploit a known vulnerability against WordPress WP Statistics Plugin. A successful attack can lead to command injection and arbitrary code execution.
Extended Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Affected Products
Veronalabs wp_statistics
References
CVE: CVE-2022-4230
URL: https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25148 https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-statistics/wp-statistics-1328-authenticated-admin-sql-injection
Short Name
HTTP:SQL:INJ:WP-STATISTICS
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2022-25148 CVE-2022-4230 Injection Plugin SQL Statistics WP WordPress
Release Date
03/09/2022
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Veronalabs
CVSS Score
5.0