CVE-2022-25149 Overview
CVE-2022-25149 is an unauthenticated SQL injection vulnerability in the WP Statistics WordPress plugin developed by VeronaLabs. The flaw exists in the ~/includes/class-wp-statistics-hits.php file, where the IP parameter is not properly escaped or parameterized before being used in SQL queries. Attackers without authentication can inject arbitrary SQL queries to extract sensitive information from the WordPress database. The vulnerability affects all versions of WP Statistics up to and including 13.1.5. The issue is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated attackers can read arbitrary data from the WordPress database, including user credentials, session tokens, and configuration secrets. The EPSS score of 76.26% places this vulnerability in the 98.95th percentile for likelihood of exploitation.
Affected Products
- VeronaLabs WP Statistics WordPress plugin versions up to and including 13.1.5
- WordPress sites running the vulnerable plugin with anonymous hit tracking enabled
- Any WordPress deployment exposing the affected plugin endpoint to the internet
Discovery Timeline
- 2022-02-24 - CVE-2022-25149 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-25149
Vulnerability Analysis
WP Statistics tracks visitor metrics by recording client IP addresses on each page hit. The plugin reads the visitor IP from HTTP request headers and passes it into database queries inside class-wp-statistics-hits.php. The plugin failed to apply WordPress sanitization helpers such as $wpdb->prepare() or esc_sql() against the IP parameter before query construction. An attacker can supply a crafted X-Forwarded-For or equivalent header value containing SQL syntax, which the plugin then concatenates directly into a query. The injected payload executes with the privileges of the WordPress database user, typically granting full read access to the wp_users, wp_usermeta, and wp_options tables.
Root Cause
The root cause is insufficient input validation and missing parameterization of user-controlled data. WordPress provides the $wpdb->prepare() API specifically to bind parameters safely, but the affected code path concatenated the IP string into the SQL statement. The fix in changeset 2679983 introduced proper escaping and parameter binding for the IP value.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker sends an HTTP request to a page on the target WordPress site with a malicious value in the IP-bearing header. The plugin processes the header during its hit-tracking routine and executes the injected SQL. A typical exploit uses a UNION-based or time-based blind injection payload to exfiltrate password hashes from the wp_users table. Public proof-of-concept exploitation details are available in the GitHub Gist PoC and the Wordfence Vulnerability Advisory.
Detection Methods for CVE-2022-25149
Indicators of Compromise
- HTTP requests containing SQL syntax (UNION, SELECT, SLEEP(, --, 0x) in the X-Forwarded-For, Client-IP, or Forwarded headers
- Unexpected outbound traffic from the WordPress host immediately following anomalous hit-tracking entries
- Database error messages referencing the wp_statistics_visitor table in PHP error logs
- New or modified administrator accounts in wp_users shortly after suspicious traffic spikes
Detection Strategies
- Inspect web server access logs for non-IP-formatted values in IP-bearing headers, particularly entries containing quotes, parentheses, or SQL keywords
- Deploy a web application firewall rule that rejects requests where the X-Forwarded-For header fails RFC 7239 IP address validation
- Audit the WP Statistics plugin version across WordPress fleet inventories and flag instances at or below version 13.1.5
Monitoring Recommendations
- Enable MySQL general query logging on WordPress database hosts during incident response to capture injected statements
- Monitor the wp_statistics_hits and wp_statistics_visitor tables for malformed IP values that indicate prior exploitation attempts
- Alert on outbound HTTP requests from WordPress PHP processes that contain base64-encoded database content
How to Mitigate CVE-2022-25149
Immediate Actions Required
- Upgrade WP Statistics to version 13.1.6 or later, which contains the patch from changeset 2679983
- Rotate all WordPress administrator passwords and invalidate active sessions if exploitation is suspected
- Review the wp_users table for unauthorized accounts and the wp_options table for tampered values
- Restrict administrative endpoints behind IP allow-lists or authentication proxies where feasible
Patch Information
VeronaLabs addressed the vulnerability in WP Statistics version 13.1.6. The fix is documented in the WordPress Plugin Changeset and applies parameterized queries to the IP-handling code path. WordPress administrators should enable automatic plugin updates or apply the patch through the WordPress admin dashboard.
Workarounds
- Disable the WP Statistics plugin until the patched version is installed
- Configure a reverse proxy or WAF to strip or sanitize the X-Forwarded-For, Client-IP, and Forwarded headers before they reach WordPress
- Restrict access to the WordPress site to trusted networks while remediation is pending
# Configuration example: ModSecurity rule blocking SQL syntax in IP headers
SecRule REQUEST_HEADERS:X-Forwarded-For "@rx (?i)(union|select|sleep\(|benchmark\(|--|0x[0-9a-f]+)" \
"id:1002251,phase:1,deny,status:403,log,msg:'CVE-2022-25149 WP Statistics SQLi attempt'"
SecRule REQUEST_HEADERS:X-Forwarded-For "!@rx ^[0-9a-fA-F:.,\s]+$" \
"id:1002252,phase:1,deny,status:403,log,msg:'Malformed IP header - possible injection'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
