CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 1CVE-2022-25149 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via IP
https://notcve.org/view.php?id=CVE-2022-25149
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro IP encontrado en el archivo ~/i... • https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 1CVE-2022-0651 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_type
https://notcve.org/view.php?id=CVE-2022-0651
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro current_page_typ... • https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0513 – WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason
https://notcve.org/view.php?id=CVE-2022-0513
10 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site. El plugin WP Statistics de WordPress es vulnerable a una inyecció... • https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4333 – WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation
https://notcve.org/view.php?id=CVE-2021-4333
11 Sep 2021 — The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2626597%40wp-statistics&new=2626597%40wp-statistics&sfp_email=&sfph_mail= • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2021-24340 – WP Statistics < 13.0.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24340
19 May 2021 — The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones. El plugin WP Statistics de WordPress versiones anteriores a 13.0.8, usaba la función esc_sql() de WordPress en un campo no delimitado por comillas y no preparaba primero la consulta. Además, la ... • https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13275 – WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-13275
01 Jul 2019 — An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection. Se ha descubierto un fallo en el plugin VeronaLabs wp-statistics en versiones anteriores a la 12.6.7 para WordPress. El punto final v1/hit de la API, cuando está habilitada la configuración no predeterminada "use cache plugin", es vulnerable a una inyección SQL ciega no aut... • https://github.com/wp-statistics/wp-statistics/commit/bd46721b97794a1b1520e24ff5023b6da738dd75 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12566 – WP Statistics <= 12.6.5 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12566
31 May 2019 — The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user. El Plugin WP Statistics hasta la versión 12.6.5 para Wordpress tiene almacenado un problema de tipo Cross-Site Scripting (XSS) en el archivo includes/class-wp-statistics-pages.php. Lo anterior esta relacionado a una cuenta con el rol de editor que creando una publicaci... • https://github.com/wp-statistics/wp-statistics/commit/aec4359975344f75385ae1ec257575d8131d6ec2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10864 – WP Statistics <= 12.6.3 - Referer Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-10864
09 Apr 2019 — The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request. El plugin WP Statistics en la versión 12.6.2 para WordPress tiene una vulnerabilidad XSS, permitiendo a un atacante remoto inyectar scripts web arbitrarios o HTML a través del Referer de cabecera mediante una petición GET. • https://github.com/wp-statistics/wp-statistics/commit/5aec0a08680f0afea387267a8d1b9fbb3379247c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000556
https://notcve.org/view.php?id=CVE-2018-1000556
26 Jun 2018 — WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . WordPress en versiones 4.8 y posteriores contiene una vulnerabilidad Cross-Site Scripting (XSS... • https://www.pluginvulnerabilities.com/2017/04/28/reflected-cross-site-scripting-xss-vulnerability-in-wp-statistics • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-10991 – WP Statistics <= 12.0.9 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-10991
07 Jul 2017 — The WP Statistics plugin through 12.0.9 for WordPress has XSS in the rangestart and rangeend parameters on the wps_referrers_page page. El plugin WP Statistics hasta la versión 12.0.9 para WordPress tiene XSS en los parámetros rangestart y rangeend en la página wps_referrers_page. • https://lorexxar.cn/2017/07/07/WordPress%20WP%20Statistics%20authenticated%20xss%20Vulnerability%28WP%20Statistics%20-=12.0.9%29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •