CVE-2022-25148

Name of the Vulnerable Software and Affected Versions WP Statistics versions up to and including 13.1.5

Description The issue is related to SQL Injection due to insufficient escaping and parameterization of the current page id parameter found in the ~/includes/class-wp-statistics-hits.php file. This allows attackers without authentication to inject arbitrary SQL queries and obtain sensitive information.

Recommendations For versions up to and including 13.1.5, update to a version later than 13.1.5 to resolve the issue. As a temporary workaround, consider restricting access to the ~/includes/class-wp-statistics-hits.php file to minimize the risk of exploitation. Avoid using the current page id parameter in the affected API endpoint until the issue is resolved.