cbcvebase.
CVE-2022-33965
published 2022-07-25

CVE-2022-33965: Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.41%
87.4th percentile
Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress.

Affected

2 ranges
VendorProductVersion rangeFixed in
codepressvisitor_statistics< 5.85.8
osamaeshwp_visitor_statistics<= 5.7

Detection & IOCsextracted from sources · hover to see the quote

url/?wmcAction=wmcTrack&url=test&uid=0&pid=0&visitorId=1331'+and+sleep(7)+or+'
otherwmcAction=wmcTrack
path/wp-content/plugins/wp-stats-manager
  • Time-based blind SQLi: inject sleep(7) via the `visitorId` GET parameter of the `wmcTrack` action; flag if HTTP response duration >= 7 seconds with HTTP 200.
  • Match response body for the literal injected payload string to confirm exploitation: regex `^1331' and sleep\(7\) or '$`
  • Shodan fingerprint for exposed instances: search `http.html:"wp-stats-manager"`
  • FOFA fingerprint for exposed instances: search `body="wp-stats-manager"`
  • The vulnerability is unauthenticated (no credentials required); any HTTP client can trigger it via a crafted GET request to the WordPress front-end.
  • ·The time-based detection threshold is set to 7 seconds sleep; adjust WAF/IDS timeout baselines accordingly to avoid false negatives on slow hosts.
  • ·Affected versions are <= 5.7; upgrade to version 5.8 or later to remediate.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.