Search

Find a vulnerability

Search criteria

    16 vulnerabilities found for WP Statistics by VeronaLabs

    CVE-2026-48839 (GCVE-0-2026-48839)

    Vulnerability from nvd – Published: 2026-06-01 14:43 – Updated: 2026-06-01 16:18 X_Open Source
    VLAI
    Title
    WordPress WP Statistics plugin <= 14.16.6 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS. This issue affects WP Statistics: from n/a through 14.16.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: n/a , ≤ 14.16.6 (custom)
    Create a notification for this product.
    Credits
    daroo | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48839",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T16:14:57.388290Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T16:18:50.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "14.16.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "14.16.6",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "daroo | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.\u003cp\u003eThis issue affects WP Statistics: from n/a through 14.16.6.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.\n\nThis issue affects WP Statistics: from n/a through 14.16.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-588",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-588 DOM-Based XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T14:43:29.590Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-14-16-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress WP Statistics Plugin to the latest available version (at least 14.16.7)."
                }
              ],
              "value": "Update the WordPress WP Statistics Plugin to the latest available version (at least 14.16.7)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress WP Statistics plugin \u003c= 14.16.6 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-48839",
        "datePublished": "2026-06-01T14:43:29.590Z",
        "dateReserved": "2026-05-25T14:28:27.466Z",
        "dateUpdated": "2026-06-01T16:18:50.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55716 (GCVE-0-2025-55716)

    Vulnerability from nvd – Published: 2025-08-14 18:21 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability
    Summary
    Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through <= 14.15.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 0 , ≤ 14.15 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:42
    Credits
    Denver Jackson | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-15T12:54:03.654950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-15T12:54:10.346Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "14.15.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "14.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Denver Jackson | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:42:28.114Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Statistics: from n/a through \u003c= 14.15.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through \u003c= 14.15."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:37.332Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-plugin-14-15-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WP Statistics Plugin \u003c= 14.15 - Broken Access Control Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-55716",
        "datePublished": "2025-08-14T18:21:23.962Z",
        "dateReserved": "2025-08-14T09:10:30.443Z",
        "dateUpdated": "2026-04-28T16:13:37.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-38074 (GCVE-0-2022-38074)

    Vulnerability from nvd – Published: 2023-03-13 13:43 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection
    Summary
    SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: n/a , ≤ 13.2.10 (custom)
    Create a notification for this product.
    Credits
    Rafie Muhammad (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:45:52.402Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-08T21:48:42.008673Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-08T22:08:34.007Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "13.2.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "13.2.10",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafie Muhammad (Patchstack)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a0\u003c= 13.2.10 versions.\u003c/span\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u00a0\u003c= 13.2.10 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:46.976Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a013.2.11 or a higher version."
                }
              ],
              "value": "Update to\u00a013.2.11 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WP Statistics Plugin \u003c= 13.2.10 is vulnerable to SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-38074",
        "datePublished": "2023-03-13T13:43:34.752Z",
        "dateReserved": "2022-09-14T13:22:24.168Z",
        "dateUpdated": "2026-04-28T16:07:46.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-27231 (GCVE-0-2022-27231)

    Vulnerability from nvd – Published: 2022-06-13 04:50 – Updated: 2024-08-03 05:25
    VLAI
    Summary
    Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: versions prior to 13.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:25:32.082Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wp-statistics/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wp-statistics/#developers"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 13.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-13T04:50:30.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wp-statistics/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wp-statistics/#developers"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-27231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "versions prior to 13.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/wp-statistics/",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wp-statistics/"
                },
                {
                  "name": "https://wordpress.org/plugins/wp-statistics/#developers",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wp-statistics/#developers"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN15241647/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-27231",
        "datePublished": "2022-06-13T04:50:30.000Z",
        "dateReserved": "2022-05-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:25:32.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0513 (GCVE-0-2022-0513)

    Vulnerability from nvd – Published: 2022-02-16 16:38 – Updated: 2025-02-10 14:53
    VLAI
    Title
    WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason
    Summary
    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 13.1.4 , ≤ 13.1.4 (custom)
    Create a notification for this product.
    Credits
    Cyku Hong from DEVCORE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:45.879Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-0513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T14:53:38.489319Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T14:53:42.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "lessThanOrEqual": "13.1.4",
                  "status": "affected",
                  "version": "13.1.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Cyku Hong from DEVCORE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-16T16:38:03.000Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 13.1.5 or newer. "
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Wordfence",
              "ASSIGNER": "security@wordfence.com",
              "ID": "CVE-2022-0513",
              "STATE": "PUBLIC",
              "TITLE": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "13.1.4",
                                "version_value": "13.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Cyku Hong from DEVCORE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/",
                  "refsource": "MISC",
                  "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php",
                  "refsource": "MISC",
                  "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 13.1.5 or newer. "
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2022-0513",
        "datePublished": "2022-02-16T16:38:03.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2025-02-10T14:53:42.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24340 (GCVE-0-2021-24340)

    Vulnerability from nvd – Published: 2021-06-07 10:49 – Updated: 2024-08-03 19:28
    VLAI
    Title
    WP Statistics < 13.0.8 - Unauthenticated SQL Injection
    Summary
    The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 13.0.8 , < 13.0.8 (custom)
    Create a notification for this product.
    Credits
    Ram Gall (Wordfence)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.425Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "lessThan": "13.0.8",
                  "status": "affected",
                  "version": "13.0.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Ram Gall (Wordfence)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-07T10:49:50.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24340",
              "STATE": "PUBLIC",
              "TITLE": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "13.0.8",
                                "version_value": "13.0.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Ram Gall (Wordfence)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
                },
                {
                  "name": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/",
                  "refsource": "MISC",
                  "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24340",
        "datePublished": "2021-06-07T10:49:50.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-48839 (GCVE-0-2026-48839)

    Vulnerability from cvelistv5 – Published: 2026-06-01 14:43 – Updated: 2026-06-01 16:18 X_Open Source
    VLAI
    Title
    WordPress WP Statistics plugin <= 14.16.6 - Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS. This issue affects WP Statistics: from n/a through 14.16.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: n/a , ≤ 14.16.6 (custom)
    Create a notification for this product.
    Credits
    daroo | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48839",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T16:14:57.388290Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T16:18:50.112Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "14.16.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "14.16.6",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "daroo | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.\u003cp\u003eThis issue affects WP Statistics: from n/a through 14.16.6.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS.\n\nThis issue affects WP Statistics: from n/a through 14.16.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-588",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-588 DOM-Based XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T14:43:29.590Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-14-16-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress WP Statistics Plugin to the latest available version (at least 14.16.7)."
                }
              ],
              "value": "Update the WordPress WP Statistics Plugin to the latest available version (at least 14.16.7)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress WP Statistics plugin \u003c= 14.16.6 - Cross Site Scripting (XSS) vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-48839",
        "datePublished": "2026-06-01T14:43:29.590Z",
        "dateReserved": "2026-05-25T14:28:27.466Z",
        "dateUpdated": "2026-06-01T16:18:50.112Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-55716 (GCVE-0-2025-55716)

    Vulnerability from cvelistv5 – Published: 2025-08-14 18:21 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress WP Statistics Plugin <= 14.15 - Broken Access Control Vulnerability
    Summary
    Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through <= 14.15.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 0 , ≤ 14.15 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:42
    Credits
    Denver Jackson | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55716",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-15T12:54:03.654950Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-15T12:54:10.346Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "14.15.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "14.15",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Denver Jackson | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:42:28.114Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP Statistics: from n/a through \u003c= 14.15.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in VeronaLabs WP Statistics wp-statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Statistics: from n/a through \u003c= 14.15."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-180",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Exploiting Incorrectly Configured Access Control Security Levels"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:37.332Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wp-statistics/vulnerability/wordpress-wp-statistics-plugin-plugin-14-15-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WP Statistics Plugin \u003c= 14.15 - Broken Access Control Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-55716",
        "datePublished": "2025-08-14T18:21:23.962Z",
        "dateReserved": "2025-08-14T09:10:30.443Z",
        "dateUpdated": "2026-04-28T16:13:37.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-38074 (GCVE-0-2022-38074)

    Vulnerability from cvelistv5 – Published: 2023-03-13 13:43 – Updated: 2026-04-28 16:07
    VLAI
    Title
    WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection
    Summary
    SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: n/a , ≤ 13.2.10 (custom)
    Create a notification for this product.
    Credits
    Rafie Muhammad (Patchstack)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:45:52.402Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-38074",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-08T21:48:42.008673Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-08T22:08:34.007Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wp-statistics",
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "13.2.11",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "13.2.10",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Rafie Muhammad (Patchstack)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a0\u003c= 13.2.10 versions.\u003c/span\u003e"
                }
              ],
              "value": "SQL Injection vulnerability in VeronaLabs WP Statistics plugin\u00a0\u003c= 13.2.10 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:07:46.976Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a013.2.11 or a higher version."
                }
              ],
              "value": "Update to\u00a013.2.11 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WP Statistics Plugin \u003c= 13.2.10 is vulnerable to SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2022-38074",
        "datePublished": "2023-03-13T13:43:34.752Z",
        "dateReserved": "2022-09-14T13:22:24.168Z",
        "dateUpdated": "2026-04-28T16:07:46.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-27231 (GCVE-0-2022-27231)

    Vulnerability from cvelistv5 – Published: 2022-06-13 04:50 – Updated: 2024-08-03 05:25
    VLAI
    Summary
    Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.
    Severity
    No CVSS data available.
    CWE
    • Cross-site scripting
    Assigner
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: versions prior to 13.2.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:25:32.082Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wp-statistics/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wp-statistics/#developers"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "status": "affected",
                  "version": "versions prior to 13.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-site scripting",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-13T04:50:30.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wp-statistics/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wp-statistics/#developers"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2022-27231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "versions prior to 13.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-site scripting"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wordpress.org/plugins/wp-statistics/",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wp-statistics/"
                },
                {
                  "name": "https://wordpress.org/plugins/wp-statistics/#developers",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wp-statistics/#developers"
                },
                {
                  "name": "https://jvn.jp/en/jp/JVN15241647/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/jp/JVN15241647/index.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2022-27231",
        "datePublished": "2022-06-13T04:50:30.000Z",
        "dateReserved": "2022-05-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:25:32.082Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0513 (GCVE-0-2022-0513)

    Vulnerability from cvelistv5 – Published: 2022-02-16 16:38 – Updated: 2025-02-10 14:53
    VLAI
    Title
    WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason
    Summary
    The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 13.1.4 , ≤ 13.1.4 (custom)
    Create a notification for this product.
    Credits
    Cyku Hong from DEVCORE
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:45.879Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-0513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T14:53:38.489319Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-10T14:53:42.447Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "lessThanOrEqual": "13.1.4",
                  "status": "affected",
                  "version": "13.1.4",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Cyku Hong from DEVCORE"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-16T16:38:03.000Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Update to version 13.1.5 or newer. "
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "AKA": "Wordfence",
              "ASSIGNER": "security@wordfence.com",
              "ID": "CVE-2022-0513",
              "STATE": "PUBLIC",
              "TITLE": "WP Statistics \u003c= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "13.1.4",
                                "version_value": "13.1.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Cyku Hong from DEVCORE"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the \"Record Exclusions\" option to be enabled on the vulnerable site."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/",
                  "refsource": "MISC",
                  "url": "https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/"
                },
                {
                  "name": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php",
                  "refsource": "MISC",
                  "url": "https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Update to version 13.1.5 or newer. "
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2022-0513",
        "datePublished": "2022-02-16T16:38:03.000Z",
        "dateReserved": "2022-02-07T00:00:00.000Z",
        "dateUpdated": "2025-02-10T14:53:42.447Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24340 (GCVE-0-2021-24340)

    Vulnerability from cvelistv5 – Published: 2021-06-07 10:49 – Updated: 2024-08-03 19:28
    VLAI
    Title
    WP Statistics < 13.0.8 - Unauthenticated SQL Injection
    Summary
    The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    VeronaLabs WP Statistics Affected: 13.0.8 , < 13.0.8 (custom)
    Create a notification for this product.
    Credits
    Ram Gall (Wordfence)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:28:23.425Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "WP Statistics",
              "vendor": "VeronaLabs",
              "versions": [
                {
                  "lessThan": "13.0.8",
                  "status": "affected",
                  "version": "13.0.8",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Ram Gall (Wordfence)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-07T10:49:50.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24340",
              "STATE": "PUBLIC",
              "TITLE": "WP Statistics \u003c 13.0.8 - Unauthenticated SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "WP Statistics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "13.0.8",
                                "version_value": "13.0.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "VeronaLabs"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Ram Gall (Wordfence)"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c"
                },
                {
                  "name": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/",
                  "refsource": "MISC",
                  "url": "https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24340",
        "datePublished": "2021-06-07T10:49:50.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:28:23.425Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2022-000038

    Vulnerability from jvndb - Published: 2022-05-24 15:00 - Updated:2024-06-18 15:41
    Severity
    Summary
    WordPress plugin "WP Statistics" vulnerable to cross-site scripting
    Details
    WordPress plugin "WP Statistics" provided by VeronaLabs contains a cross-site scripting vulnerability (CWE-79). Shogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000038.html",
      "dc:date": "2024-06-18T15:41+09:00",
      "dcterms:issued": "2022-05-24T15:00+09:00",
      "dcterms:modified": "2024-06-18T15:41+09:00",
      "description": "WordPress plugin \"WP Statistics\" provided by VeronaLabs contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nShogo Kumamaru of LAC CyberLink Co., Ltd reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-000038.html",
      "sec:cpe": {
        "#text": "cpe:/a:veronalabs:wp_statistics",
        "@product": "WP Statistics",
        "@vendor": "VeronaLabs",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "2.6",
          "@severity": "Low",
          "@type": "Base",
          "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2022-000038",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN15241647/index.html",
          "@id": "JVN#15241647",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2022-27231",
          "@id": "CVE-2022-27231",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-27231",
          "@id": "CVE-2022-27231",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
    }

    JVNDB-2017-000068

    Vulnerability from jvndb - Published: 2017-04-13 13:49 - Updated:2017-06-01 13:53
    Severity
    Summary
    WordPress plugin "WP Statistics" vulnerable to cross-site scripting
    Details
    The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79). Note that this vulnerability is different from JVN#62392065. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000068.html",
      "dc:date": "2017-06-01T13:53+09:00",
      "dcterms:issued": "2017-04-13T13:49+09:00",
      "dcterms:modified": "2017-06-01T13:53+09:00",
      "description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79).\r\n\r\nNote that this vulnerability is different from JVN#62392065.\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000068.html",
      "sec:cpe": {
        "#text": "cpe:/a:veronalabs:wp_statistics",
        "@product": "WP Statistics",
        "@vendor": "VeronaLabs",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2017-000068",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN77253951/index.html",
          "@id": "JVN#77253951",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2147",
          "@id": "CVE-2017-2147",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2147",
          "@id": "CVE-2017-2147",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
    }

    JVNDB-2017-000067

    Vulnerability from jvndb - Published: 2017-04-13 13:49 - Updated:2017-06-01 15:23
    Severity
    Summary
    WordPress plugin "WP Statistics" vulnerable to cross-site scripting
    Details
    The WordPress plugin "WP Statistics" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79) in multiple pages due to a flaw in processing HTTP Referer headers. Note that this vulnerability is different from JVN#77253951. Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000067.html",
      "dc:date": "2017-06-01T15:23+09:00",
      "dcterms:issued": "2017-04-13T13:49+09:00",
      "dcterms:modified": "2017-06-01T15:23+09:00",
      "description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a stored cross-site scripting vulnerability (CWE-79) in multiple pages due to a flaw in processing HTTP Referer headers.\r\n\r\nNote that this vulnerability is different from JVN#77253951.\r\n\r\nGen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000067.html",
      "sec:cpe": {
        "#text": "cpe:/a:veronalabs:wp_statistics",
        "@product": "WP Statistics",
        "@vendor": "VeronaLabs",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "5.0",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2017-000067",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN62392065/index.html",
          "@id": "JVN#62392065",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2136",
          "@id": "CVE-2017-2136",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2136",
          "@id": "CVE-2017-2136",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
    }

    JVNDB-2017-000062

    Vulnerability from jvndb - Published: 2017-04-10 13:47 - Updated:2017-06-01 15:24
    Severity
    Summary
    WordPress plugin "WP Statistics" vulnerable to cross-site scripting
    Details
    The WordPress plugin "WP Statistics" provided by WP Statistics contains a reflected cross-site scripting vulnerability (CWE-79). ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000062.html",
      "dc:date": "2017-06-01T15:24+09:00",
      "dcterms:issued": "2017-04-10T13:47+09:00",
      "dcterms:modified": "2017-06-01T15:24+09:00",
      "description": "The WordPress plugin \"WP Statistics\" provided by WP Statistics contains a reflected cross-site scripting vulnerability (CWE-79).\r\n\r\nASAI Ken reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2017/JVNDB-2017-000062.html",
      "sec:cpe": {
        "#text": "cpe:/a:veronalabs:wp_statistics",
        "@product": "WP Statistics",
        "@vendor": "VeronaLabs",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "2.6",
          "@severity": "Low",
          "@type": "Base",
          "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2017-000062",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN17633442/index.html",
          "@id": "JVN#17633442",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2135",
          "@id": "CVE-2017-2135",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2017-2135",
          "@id": "CVE-2017-2135",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "WordPress plugin \"WP Statistics\" vulnerable to cross-site scripting"
    }