CVE-2026-22850

HighPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0008 24.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22850 is a high-severity SQL Injection (CWE-89) vulnerability in Ibericode Koko Analytics. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted user-supplied path and referrer inputs before database storage and SQL import execution to block SQL injection payloads.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of the plugin to version 2.1.3 or later, directly remediating the arbitrary SQL execution flaw.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the manage_koko_analytics capability to restrict authenticated users from uploading and executing arbitrary SQL files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct SQL injection in public tracking endpoint of WordPress plugin enables unauthenticated exploitation of a public-facing application, with secondary paths via admin import/upload leading to arbitrary DB commands.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to…

the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.

Deeper analysisAI

CVE-2026-22850 affects Koko Analytics, an open-source analytics plugin for WordPress, in versions prior to 2.1.3. The vulnerability enables arbitrary SQL execution due to unescaped user-supplied values in the analytics export and import features, combined with permissive SQL import handling. Unauthenticated visitors can submit arbitrary path (pa) and referrer (r) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores them verbatim in the analytics database tables. The admin export logic in src/Admin/Data_Export.php then incorporates these values directly into SQL INSERT statements without escaping, allowing attackers to craft payloads that break out of the value context, such as "),('999','x');DROP TABLE wp_users;--.

Attackers can exploit this in two main ways. First, unauthenticated attackers poison the analytics data via the tracking endpoint; when an administrator exports and later imports the tainted data, the import handler in src/Admin/Data_Import.php executes the malicious SQL after a superficial header check, splitting on semicolons and running statements via $wpdb->query without validating table names or types. Second, any authenticated user with the manage_koko_analytics capability can directly upload an arbitrary .sql file for execution in the same permissive manner. Successful exploitation grants arbitrary SQL execution on the WordPress database, enabling deletion of core tables like wp_users, insertion of backdoor administrator accounts, or other destructive and privilege-escalating actions. The CVSS v3.1 base score is 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), linked to CWE-89 (SQL Injection).

Version 2.1.3 of Koko Analytics patches the vulnerability, as detailed in the plugin's GitHub security advisory (GHSA-jgfh-264m-xh3q) and the fixing commit (7b7d58f4a1838c8203cf4e7bb59847c982432119). Security practitioners should update to 2.1.3 or later and review access to the manage_koko_analytics capability. A proof-of-concept is available via the referenced Google Drive link.