CVE-2026-22850

Name of the Vulnerable Software and Affected Versions Koko Analytics versions prior to 2.1.3

Description Koko Analytics, an open-source analytics plugin for WordPress, is susceptible to arbitrary SQL execution due to unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary pa (path) and r (referrer) values to the public tracking endpoint in src/Resources/functions/collect.php, which are stored directly in the analytics tables. The admin export logic in src/Admin/Data Export.php writes these stored values into SQL INSERT statements without proper escaping. A crafted path, such as "),('999','x');DROP TABLE wp users;--", can break out of the value list. When an administrator imports the exported file, the import handler in src/Admin/Data Import.php reads the SQL file using file get contents, performs a basic header check, splits the content by semicolons, and executes each statement via $wpdb->query without validating table names or statement types. Authenticated users with manage koko analytics privileges can also upload arbitrary .sql files for execution in the same permissive manner. This allows attacker-controlled input to flow from the tracking endpoint into exported SQL and through the import execution, or directly via malicious uploads, enabling arbitrary SQL execution. Attackers could potentially delete core tables like wp users or insert backdoor administrator accounts.

Recommendations Versions prior to 2.1.3 should be updated to version 2.1.3 or later.