CVE-2022-33965: WP Visitor Statistics SQLi Vulnerability

CVE-2022-33965 Overview

CVE-2022-33965 affects the WP Visitor Statistics (Real Time Traffic) plugin by Osamaesh, distributed under the wp-stats-manager slug on WordPress.org. Versions 5.7 and earlier contain multiple unauthenticated SQL injection (SQLi) flaws, tracked under [CWE-89]. Attackers can send crafted HTTP requests to vulnerable endpoints without authentication and inject arbitrary SQL into backend queries. Successful exploitation exposes the underlying WordPress database, including user credentials, session tokens, and post content. The vulnerability is reachable over the network with low attack complexity and requires no user interaction.

Critical Impact
Unauthenticated remote attackers can read, modify, or destroy WordPress database contents and potentially escalate to full site takeover.

Affected Products

Codepress / Osamaesh WP Visitor Statistics (Real Time Traffic) plugin for WordPress
All versions up to and including 5.7
WordPress installations using the wp-stats-manager plugin slug

Discovery Timeline

2022-07-25 - CVE-2022-33965 published to NVD
2026-03-06 - Last updated in NVD database

Technical Details for CVE-2022-33965

Vulnerability Analysis

The WP Visitor Statistics plugin tracks visitor traffic and exposes administrative reporting endpoints that accept HTTP parameters used directly in SQL statements. Multiple parameters across the plugin's request handlers are concatenated into queries without parameterized binding or sanitization through $wpdb->prepare(). Because the vulnerable endpoints do not enforce authentication or capability checks, any remote client can submit injection payloads. An attacker can extract data with UNION SELECT payloads, enumerate the schema via information_schema, or perform time-based blind extraction using SLEEP(). The result is full read access to the WordPress database and, in many configurations, write access sufficient to insert administrative users or modify post content.

Root Cause

The root cause is improper neutralization of special elements used in SQL commands [CWE-89]. User-controlled input flows directly into dynamically constructed queries inside the plugin's PHP request handlers. The plugin does not apply esc_sql(), prepared statements, or input type validation before query execution.

Attack Vector

Exploitation is purely network-based. An attacker sends HTTP(S) requests to the vulnerable plugin endpoints exposed on a WordPress site. No credentials, no user interaction, and no prior site enumeration are required beyond confirming the plugin is installed. The Exploit Prediction Scoring System (EPSS) places this issue at the 97.5th percentile, indicating a high probability of exploitation activity relative to other CVEs.

No verified public proof-of-concept code is referenced in the available advisories. See the Patchstack Vulnerability Report for technical details on the affected request handlers.

Detection Methods for CVE-2022-33965

Indicators of Compromise

Web server access logs containing SQL syntax such as UNION SELECT, SLEEP(, BENCHMARK(, or information_schema in query strings to plugin endpoints
Unexpected new WordPress administrator accounts or modified wp_users and wp_usermeta rows
Outbound database errors logged by WordPress referencing the wp-stats-manager plugin code paths
Spikes in 200-status responses to wp-admin/admin-ajax.php or plugin-specific PHP files from a single source IP

Detection Strategies

Inspect HTTP request parameters destined for /wp-content/plugins/wp-stats-manager/ and admin-ajax.php actions for SQL metacharacters and tautologies such as ' OR 1=1--
Enable WordPress WP_DEBUG_LOG and review wp-content/debug.log for wpdb query errors originating in the plugin
Deploy a Web Application Firewall (WAF) rule set targeting SQLi patterns on WordPress endpoints

Monitoring Recommendations

Alert on requests to the plugin that contain encoded SQL keywords (%27, %20OR%20, 0x)
Monitor MySQL slow query and general logs for queries containing unusual UNION or information_schema references
Track plugin inventory across managed WordPress sites and flag any instance running wp-stats-manager version 5.7 or earlier

How to Mitigate CVE-2022-33965

Immediate Actions Required

Update the WP Visitor Statistics plugin to a version newer than 5.7 if available, or remove the plugin entirely
Audit the WordPress database for unauthorized administrator accounts and rotate all user passwords and secret keys in wp-config.php
Place a WAF in front of the WordPress site with rules blocking SQL injection patterns on plugin endpoints
Review web and database logs for indicators of prior exploitation

Patch Information

Refer to the Patchstack Vulnerability Report and the WordPress Plugin Developer Info page for the latest fixed release. Apply the vendor-supplied update through the WordPress plugin management console and verify the installed version after upgrade.

Workarounds

Deactivate and delete the wp-stats-manager plugin until a patched version is confirmed installed
Restrict access to /wp-admin/ and admin-ajax.php by IP allowlist at the reverse proxy or WAF
Apply least-privilege configuration to the WordPress database user, removing DROP, ALTER, and FILE privileges where not required

bash

# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate wp-stats-manager
wp plugin delete wp-stats-manager

# Verify no residual plugin files remain
find /var/www/html/wp-content/plugins -name 'wp-stats-manager*'