CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 3CVE-2022-25148 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_id
https://notcve.org/view.php?id=CVE-2022-25148
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro current_page_id en... • https://www.exploit-db.com/exploits/51711 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25305 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via IP
https://notcve.org/view.php?id=CVE-2022-25305
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficientes del par... • https://gist.github.com/Xib3rR4dAr/af90cef7867583ab2de4cccea2a8c87d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25306 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via browser
https://notcve.org/view.php?id=CVE-2022-25306
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficient... • https://gist.github.com/Xib3rR4dAr/89fc87ea1d62348c21c99fc11a3bfd88 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 1CVE-2022-25149 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via IP
https://notcve.org/view.php?id=CVE-2022-25149
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro IP encontrado en el archivo ~/i... • https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 50%CPEs: 1EXPL: 1CVE-2022-0651 – WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_type
https://notcve.org/view.php?id=CVE-2022-0651
16 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a una inyección SQL debido a un escape y parametrización insuficientes del parámetro current_page_typ... • https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0513 – WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason
https://notcve.org/view.php?id=CVE-2022-0513
10 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site. El plugin WP Statistics de WordPress es vulnerable a una inyecció... • https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4333 – WP Statistics <= 13.1.1 - Cross-Site Request Forgery to Arbitrary Plugin Activation and Deactivation
https://notcve.org/view.php?id=CVE-2021-4333
11 Sep 2021 — The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2626597%40wp-statistics&new=2626597%40wp-statistics&sfp_email=&sfph_mail= • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24561 – WP SMS < 5.4.13 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24561
26 Jul 2021 — The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue El plugin WP SMS para WordPress versiones anteriores a 5.4.13, no sanea el parámetro "wp_group_name" antes de devolverlo a la página "Groups", conllevando a un problema de tipo Cross-Site Scripting Almacenado y Autenticado. • https://plugins.trac.wordpress.org/changeset/2570762/wp-sms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2021-24340 – WP Statistics < 13.0.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24340
19 May 2021 — The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones. El plugin WP Statistics de WordPress versiones anteriores a 13.0.8, usaba la función esc_sql() de WordPress en un campo no delimitado por comillas y no preparaba primero la consulta. Además, la ... • https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13275 – WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2019-13275
01 Jul 2019 — An issue was discovered in the VeronaLabs wp-statistics plugin before 12.6.7 for WordPress. The v1/hit endpoint of the API, when the non-default "use cache plugin" setting is enabled, is vulnerable to unauthenticated blind SQL Injection. Se ha descubierto un fallo en el plugin VeronaLabs wp-statistics en versiones anteriores a la 12.6.7 para WordPress. El punto final v1/hit de la API, cuando está habilitada la configuración no predeterminada "use cache plugin", es vulnerable a una inyección SQL ciega no aut... • https://github.com/wp-statistics/wp-statistics/commit/bd46721b97794a1b1520e24ff5023b6da738dd75 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •