FKIE_CVE-2026-22850

Vulnerability from fkie_nvd - Published: 2026-01-19 17:15 - Updated: 2026-03-09 21:16
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.
References
security-advisories@github.comhttps://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharingExploit, Mitigation
security-advisories@github.comhttps://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119Patch
security-advisories@github.comhttps://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3qExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
ibericode koko_analytics *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ibericode:koko_analytics:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "CB3DC92C-231A-456F-A8CE-109A55F6F278",
              "versionEndExcluding": "2.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as \"),(\u0027999\u0027,\u0027x\u0027);DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb-\u003equery with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue."
    },
    {
      "lang": "es",
      "value": "Koko Analytics es un plugin de an\u00e1lisis de c\u00f3digo abierto para WordPress. Las versiones anteriores a la 2.1.3 son vulnerables a la ejecuci\u00f3n arbitraria de SQL debido a la exportaci\u00f3n/importaci\u00f3n de datos anal\u00edticos sin escapar y a una importaci\u00f3n de SQL administrativa poco restrictiva. Los visitantes no autenticados pueden enviar valores arbitrarios de ruta (`pa`) y de origen (`r`) al punto final de seguimiento p\u00fablico en src/Resources/functions/collect.php, que almacena esas cadenas tal cual en las tablas de an\u00e1lisis. La l\u00f3gica de exportaci\u00f3n de administraci\u00f3n en src/Admin/Data_Export.php escribe estos valores almacenados directamente en sentencias SQL INSERT sin escapar. Una ruta manipulada como \"),(\u201c999\u201d,\u0027x\u0027); \"DROP TABLE wp_users;--\" se sale de la lista de valores. Cuando un administrador importa posteriormente ese archivo de exportaci\u00f3n, el controlador de importaci\u00f3n en src/Admin/Data_Import.php lee el SQL cargado con file_get_contents, realiza solo una comprobaci\u00f3n superficial del encabezado, divide por puntos y coma, y ejecuta cada instrucci\u00f3n mediante $wpdb-\u0026gt;query sin validar los nombres de las tablas ni los tipos de instrucci\u00f3n. Adem\u00e1s, cualquier usuario autenticado con el permiso manage_koko_analytics puede subir un archivo .sql arbitrario y hacer que se ejecute de la misma manera permisiva. En conjunto, las entradas controladas por el atacante fluyen desde el punto final de seguimiento hacia el SQL exportado y a trav\u00e9s del canal de ejecuci\u00f3n de la importaci\u00f3n, o directamente mediante subidas maliciosas, lo que permite la ejecuci\u00f3n arbitraria de SQL. En el peor de los casos, los atacantes pueden ejecutar c\u00f3digo SQL arbitrario en la base de datos de WordPress, lo que les permitir\u00eda eliminar tablas fundamentales (por ejemplo, wp_users), crear cuentas de administrador con puertas traseras o llevar a cabo otras acciones destructivas o de escalada de privilegios. La versi\u00f3n 2.1.3 corrige este problema."
    }
  ],
  "id": "CVE-2026-22850",
  "lastModified": "2026-03-09T21:16:44.957",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-19T17:15:50.430",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation"
      ],
      "url": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.