Koko Analytics
Approved changes feed: RSS · Atom
cpe:2.3:a:ibericode:koko-analytics:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Ibericode (a9e8df76-4693-5b34-b978-58cd1a10c3bb) |
|---|---|
| Product | Koko Analytics (d7b5fec6-2904-5113-81b9-51f0931e69f6) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-22850 |
vulnerable | 2026-06-08 07:51:14.019053 |
Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import
HIGH (8.4)
Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.
Published: 2026-01-19T16:51:00.394Z
Updated: 2026-01-20T21:35:14.638Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.