CVE-2022-25149

Name of the Vulnerable Software and Affected Versions WP Statistics versions up to and including 13.1.5

Description The issue is related to SQL Injection due to insufficient escaping and parameterization of the IP parameter in the ~/includes/class-wp-statistics-hits.php file. This allows attackers without authentication to inject arbitrary SQL queries and obtain sensitive information.

Recommendations For versions up to and including 13.1.5, update to a version later than 13.1.5 to resolve the issue. As a temporary workaround, consider restricting access to the ~/includes/class-wp-statistics-hits.php file to minimize the risk of exploitation. Avoid using the IP parameter in the affected functionality until the issue is resolved.