All the vulnerabilites related to VeronaLabs - WP Statistics
jvndb-2017-000067
Vulnerability from jvndb
Published
2017-04-13 13:49
Modified
2017-06-01 15:23
Severity ?
Summary
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Details
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79) in multiple pages due to a flaw in processing HTTP Referer headers.
Note that this vulnerability is different from JVN#77253951.
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN62392065/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2136 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2017-2136 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000067.html",
"dc:date": "2017-06-01T15:23+09:00",
"dcterms:issued": "2017-04-13T13:49+09:00",
"dcterms:modified": "2017-06-01T15:23+09:00",
"description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79) in multiple pages due to a flaw in processing HTTP Referer headers.\r\n\r\nNote that this vulnerability is different from JVN#77253951.\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000067.html",
"sec:cpe": {
"#text": "cpe:/a:veronalabs:wp_statistics",
"@product": "WP Statistics",
"@vendor": "VeronaLabs",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000067",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN62392065/index.html",
"@id": "JVN#62392065",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2136",
"@id": "CVE-2017-2136",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2136",
"@id": "CVE-2017-2136",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
}
jvndb-2017-000062
Vulnerability from jvndb
Published
2017-04-10 13:47
Modified
2017-06-01 15:24
Severity ?
Summary
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Details
The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability (CWE-79).
ASAI Ken reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN17633442/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2135 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2017-2135 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000062.html",
"dc:date": "2017-06-01T15:24+09:00",
"dcterms:issued": "2017-04-10T13:47+09:00",
"dcterms:modified": "2017-06-01T15:24+09:00",
"description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a reflected cross-site scripting vulnerability (CWE-79).\r\n\r\nASAI Ken reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000062.html",
"sec:cpe": {
"#text": "cpe:/a:veronalabs:wp_statistics",
"@product": "WP Statistics",
"@vendor": "VeronaLabs",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000062",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN17633442/index.html",
"@id": "JVN#17633442",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2135",
"@id": "CVE-2017-2135",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2135",
"@id": "CVE-2017-2135",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
}
jvndb-2017-000068
Vulnerability from jvndb
Published
2017-04-13 13:49
Modified
2017-06-01 13:53
Severity ?
Summary
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Details
The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79).
Note that this vulnerability is different from JVN#62392065.
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN77253951/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2147 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2017-2147 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000068.html",
"dc:date": "2017-06-01T13:53+09:00",
"dcterms:issued": "2017-04-13T13:49+09:00",
"dcterms:modified": "2017-06-01T13:53+09:00",
"description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79).\r\n\r\nNote that this vulnerability is different from JVN#62392065.\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000068.html",
"sec:cpe": {
"#text": "cpe:/a:veronalabs:wp_statistics",
"@product": "WP Statistics",
"@vendor": "VeronaLabs",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2017-000068",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN77253951/index.html",
"@id": "JVN#77253951",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2147",
"@id": "CVE-2017-2147",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2147",
"@id": "CVE-2017-2147",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
}
jvndb-2022-000038
Vulnerability from jvndb
Published
2022-05-24 15:00
Modified
2024-06-18 15:41
Severity ?
Summary
WordPress plugin "WP Statistics" vulnerable to cross-site scripting
Details
WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability (CWE-79).
Shogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/jp/JVN15241647/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-27231 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-27231 | |
| Cross-site Scripting(CWE-79) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000038.html",
"dc:date": "2024-06-18T15:41+09:00",
"dcterms:issued": "2022-05-24T15:00+09:00",
"dcterms:modified": "2024-06-18T15:41+09:00",
"description": "WordPress plugin \"WP Statistics\" provided by VeronaLabs contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nShogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000038.html",
"sec:cpe": {
"#text": "cpe:/a:veronalabs:wp_statistics",
"@product": "WP Statistics",
"@vendor": "VeronaLabs",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "6.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2022-000038",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN15241647/index.html",
"@id": "JVN#15241647",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-27231",
"@id": "CVE-2022-27231",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27231",
"@id": "CVE-2022-27231",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
}
cve-2021-24340
Vulnerability from cvelistv5
Published
2021-06-07 10:49
Modified
2024-08-03 19:28
Severity ?
EPSS score ?
Summary
WP Statistics < 13.0.8 - Unauthenticated SQL Injection
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c | x_refsource_CONFIRM | |
| https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.425Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Statistics",
"vendor": "VeronaLabs",
"versions": [
{
"lessThan": "13.0.8",
"status": "affected",
"version": "13.0.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ram Gall (Wordfence)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-07T10:49:50",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24340",
"STATE": "PUBLIC",
"TITLE": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Statistics",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "13.0.8",
"version_value": "13.0.8"
}
]
}
}
]
},
"vendor_name": "VeronaLabs"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ram Gall (Wordfence)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
},
{
"name": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24340",
"datePublished": "2021-06-07T10:49:50",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0513
Vulnerability from cvelistv5
Published
2022-02-16 16:38
Modified
2024-08-02 23:32
Severity ?
EPSS score ?
Summary
WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:45.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Statistics",
"vendor": "VeronaLabs",
"versions": [
{
"lessThanOrEqual": "13.1.4",
"status": "affected",
"version": "13.1.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Cyku Hong from DEVCORE"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-16T16:38:03",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 13.1.5 or newer. "
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"ID": "CVE-2022-0513",
"STATE": "PUBLIC",
"TITLE": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Statistics",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "13.1.4",
"version_value": "13.1.4"
}
]
}
}
]
},
"vendor_name": "VeronaLabs"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Cyku Hong from DEVCORE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 13.1.5 or newer. "
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-0513",
"datePublished": "2022-02-16T16:38:03",
"dateReserved": "2022-02-07T00:00:00",
"dateUpdated": "2024-08-02T23:32:45.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-38074
Vulnerability from cvelistv5
Published
2023-03-13 13:43
Modified
2024-08-03 10:45
Severity ?
EPSS score ?
Summary
WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:45:52.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-statistics",
"product": "WP Statistics",
"vendor": "VeronaLabs",
"versions": [
{
"changes": [
{
"at": "13.2.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "13.2.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;\u0026lt;= 13.2.10 versions.\u003c/span\u003e"
}
],
"value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u00a0\u003c= 13.2.10 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-13T13:43:34.752Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;13.2.11 or a higher version."
}
],
"value": "Update to\u00a013.2.11 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Statistics Plugin \u003c= 13.2.10 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-38074",
"datePublished": "2023-03-13T13:43:34.752Z",
"dateReserved": "2022-09-14T13:22:24.168Z",
"dateUpdated": "2024-08-03T10:45:52.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-27231
Vulnerability from cvelistv5
Published
2022-06-13 04:50
Modified
2024-08-03 05:25
Severity ?
EPSS score ?
Summary
Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wordpress.org/plugins/wp-statistics/ | x_refsource_MISC | |
| https://wordpress.org/plugins/wp-statistics/#developers | x_refsource_MISC | |
| https://jvn.jp/en/jp/JVN15241647/index.html | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| VeronaLabs | WP Statistics |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:32.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-statistics/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-statistics/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN15241647/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Statistics",
"vendor": "VeronaLabs",
"versions": [
{
"status": "affected",
"version": "versions prior to 13.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-13T04:50:30",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/wp-statistics/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/wp-statistics/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN15241647/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-27231",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Statistics",
"version": {
"version_data": [
{
"version_value": "versions prior to 13.2.0"
}
]
}
}
]
},
"vendor_name": "VeronaLabs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-statistics/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/wp-statistics/"
},
{
"name": "https://wordpress.org/plugins/wp-statistics/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/wp-statistics/#developers"
},
{
"name": "https://jvn.jp/en/jp/JVN15241647/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN15241647/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-27231",
"datePublished": "2022-06-13T04:50:30",
"dateReserved": "2022-05-12T00:00:00",
"dateUpdated": "2024-08-03T05:25:32.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}