CVE-2022-25149 - How Hackers Exploit WP Statistics with SQL Injection – A Deep Dive

WordPress is the backbone for millions of websites, but its popularity also means it's a big target for hackers. In this long read, we’ll break down CVE-2022-25149 — a dangerous SQL Injection vulnerability inside the WP Statistics plugin for WordPress (versions up to and including 13.1.5). You’ll learn how this bug works, see real-world code, and get links for more information. This post is exclusive and explained in straightforward language so everyone can understand.

Quick Summary

- Plugin Affected: WP Statistics

Vulnerable Until: version 13.1.5 (patched in later versions)

- CVE: CVE-2022-25149

What is SQL Injection and Why is it Dangerous?

SQL Injection happens when a web application lets users send data to a SQL database without cleaning or "escaping" the input. If attackers can put SQL, they can:

How WP Statistics Got Vulnerable

WP Statistics is installed on well over 500,000 WordPress sites. The plugin collects visitor data, like IP addresses and pages viewed—information stored in your MySQL database.

The vulnerability was in the handling of the IP address parameter in the ~/includes/class-wp-statistics-hits.php file. The plugin failed to "escape" user input and did not use parameterized queries when inserting the IP address into SQL statements. So, hackers could inject their own SQL instead of a normal IP!

Here’s what went wrong in the original code (simplified to make it clear)

// Vulnerable code in class-wp-statistics-hits.php

$ip = $_SERVER['REMOTE_ADDR']; // Gets visitor IP address

$query = "SELECT * FROM {$wpdb->prefix}wp_statistics WHERE ip = '$ip'"; // BAD!
$results = $wpdb->get_results($query);

What’s the problem?
The $ip variable is used directly inside the SQL query in quotes. If an attacker crafts their own request and changes their "IP" (or tricks the code by manipulating headers or direct requests), they can inject SQL code right where $ip goes.

Let’s say the attacker controls what appears in $ip, and they send a request with this IP

' OR 1=1; --

The resulting SQL becomes

SELECT * FROM wp_statistics WHERE ip = '' OR 1=1; -- '

- ' OR 1=1; -- closes the string and makes the WHERE clause always true, returning all rows, not just the IP.

-- comments out the rest.

A skilled attacker can abuse this to extract data, modify tables, or delete data depending on the privileges.

A full exploit could look something like this (simplified demo)

1. Find the site running WP Statistics v13.1.5 or older (tools like WPScan help).
2. Send a web request to a page that uses WP Statistics, but with a malicious IP using X-Forwarded-For header:

How to Fix It (And How Developers Should Do It)

Safe PHP code should never insert user input into SQL directly. Here’s a safe, *parameterized* way with $wpdb:

// Secure code in WordPress plugin
$ip = $_SERVER['REMOTE_ADDR'];
$query = $wpdb->prepare("SELECT * FROM {$wpdb->prefix}wp_statistics WHERE ip = %s", $ip);
$results = $wpdb->get_results($query);

More Technical Details & References

- Original CVE in the NVD
- WPScan Advisory
- Patch Diff on GitHub (if available) (check commits around February 2022)
- SQL Injection Explanation (OWASP)

What Should You Do Now?

If you use WP Statistics, make sure you are running version 13.1.6 or later.  
Site owners:

Final Thoughts

CVE-2022-25149 is a great example of why "sanitize and parameterize all input" is still such important advice. WP Statistics is a trusted plugin, but even the best projects can make mistakes. Never trust user input—even something as harmless-looking as an IP address!

Stay secure and always keep your software updated.

*Exclusive content originally written for this request. Share responsibly!*

Timeline

Published on: 02/24/2022 19:15:00 UTC
Last modified on: 03/03/2022 18:12:00 UTC