CVE-2022-38074: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in VeronaLabs WP Statistics plugin versions 13.2.10 and below. The vulnerability was identified on January 31, 2023, and assigned CVE-2022-38074. The issue affects WordPress installations using the WP Statistics plugin, with the vulnerability being exploitable by users with privileges as low as subscriber level (Patchstack, WPScan).

The vulnerability stems from improper sanitization and escaping of certain parameters before their use in SQL statements. It has been classified as a CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) vulnerability. The severity of this vulnerability has been rated with multiple CVSS scores: NVD assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 9.9 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, and possible database compromise. The high CVSS scores indicate the significant potential impact of this vulnerability (Patchstack).

The vulnerability has been patched in version 13.2.11 of the WP Statistics plugin. Site administrators are strongly advised to update to this version or later to resolve the vulnerability. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).