SQL Injection Vulnerability in AnalyticsWP Plugin for WordPress
CVE-2024-13321

9.8CRITICAL

Key Information:

Vendor: Solid Plugins
Status: AnalyticsWP
Vendor: CVE Published:; 14 March 2025

Summary

The AnalyticsWP plugin for WordPress is susceptible to SQL injection attacks via the 'custom_sql' parameter. This vulnerability arises from inadequate authorization checks within the handle_get_stats() function, allowing unvalidated users to inject malicious SQL queries. These queries can manipulate existing database queries, potentially exposing sensitive information stored in the database. It is essential for users of AnalyticsWP to update to the latest version to mitigate any risks associated with this issue.

Affected Version(s)

AnalyticsWP * <= 2.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://analyticswp.com/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Jan 9, 2025

Credit

Trương Hữu Phúc (truonghuuphuc)