CVE-2022-4230
Published: 23 January 2023
Summary
CVE-2022-4230 is a high-severity SQL Injection (CWE-89) vulnerability in Veronalabs Wp Statistics. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP Statistics WordPress plugin before version 13.2.9 is vulnerable to SQL injection because it fails to properly escape a parameter. The issue is tracked as CWE-89 and carries a CVSS 3.1 score of 8.8. By default the affected functionality requires the manage_options capability, but the plugin can be configured to grant access to lower-privileged accounts as well.
An authenticated attacker who can reach the feature may inject arbitrary SQL, resulting in full read/write access to the database and potential compromise of confidentiality, integrity, and availability. Exploitation does not require user interaction and can be performed over the network.
The referenced WPScan advisory identifies the flaw and points to version 13.2.9 as the corrective release. The EPSS score rose from a low baseline to a peak of 0.2161, indicating a clear increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-51589
Vulnerability details
The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has…
more
a settings to allow low privilege users to access it as well.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.