{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22850", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-12T16:20:16.745Z", "datePublished": "2026-01-19T16:51:00.394Z", "dateUpdated": "2026-01-20T21:35:14.638Z"}, "containers": {"cna": {"title": "Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q"}, {"name": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119", "tags": ["x_refsource_MISC"], "url": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119"}, {"name": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing", "tags": ["x_refsource_MISC"], "url": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing"}], "affected": [{"vendor": "ibericode", "product": "koko-analytics", "versions": [{"version": "< 2.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T16:51:00.394Z"}, "descriptions": [{"lang": "en", "value": "Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as \"),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue."}], "source": {"advisory": "GHSA-jgfh-264m-xh3q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:35:07.715517Z", "id": "CVE-2026-22850", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:35:14.638Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22850", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T21:35:07.715517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:35:12.346Z"}}], "cna": {"title": "Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import", "source": {"advisory": "GHSA-jgfh-264m-xh3q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ibericode", "product": "koko-analytics", "versions": [{"status": "affected", "version": "< 2.1.3"}]}], "references": [{"url": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q", "name": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119", "name": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119", "tags": ["x_refsource_MISC"]}, {"url": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing", "name": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as \"),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T16:51:00.394Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22850", "state": "PUBLISHED", "dateUpdated": "2026-01-20T21:35:14.638Z", "dateReserved": "2026-01-12T16:20:16.745Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T16:51:00.394Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibericode:koko_analytics:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CB3DC92C-231A-456F-A8CE-109A55F6F278", "versionEndExcluding": "2.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as \"),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue."}], "id": "CVE-2026-22850", "lastModified": "2026-03-09T21:16:44.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-19T17:15:50.430", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation"], "url": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:53:23.765165+00:00", "value": {"mitigation_remediation": ["Upgrade Koko Analytics to version 2.1.3 or newer to ensure proper input escaping and SQL validation.", "Revoke the manage_koko_analytics capability from all users except trusted administrators, thereby preventing unauthorized SQL uploads.", "Delete any existing export files created from the vulnerable tracking endpoint and avoid importing them until the plugin is patched."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary SQL Execution"}, "threat_synthesis": {"affected_systems": "All installations of IBERICODE Koko Analytics for WordPress that are running a version older than 2.1.3 are affected. Vulnerability exists in the tracking endpoint, export routine, and import handler. The plugin must be active on a WordPress site for the flaw to be relevant.", "description_and_impact": "Koko Analytics exposes a classic SQL injection (CWE-89) by storing unescaped tracking data and regurgitating it into SQL INSERT statements during export. Attacker\u2011controlled path or referrer values can break out of the value list, and when an administrator imports that export, the plugin executes the injected payload against the WordPress database without validation. The result is arbitrary SQL execution, which can delete core tables, inject backdoor admin accounts, or perform other destructive actions.", "risk_and_exploitability": "The CVSS score of 8.4 reflects a high\u2011severity data\u2011destructive flaw, while the EPSS score of less than 1% indicates that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an unauthenticated attacker submitting malicious tracking data, followed by an authenticated administrator importing the crafted export file; alternatively, any authenticated user with the manage_koko_analytics capability can upload a malicious SQL file directly and have it executed."}}}}, "created": "2026-01-20T08:40:50.928940+00:00", "updated": "2026-04-18T16:00:04.287610+00:00", "vendors": ["ibericode", "ibericode$PRODUCT$koko_analytics", "wordpress", "wordpress$PRODUCT$wordpress"]}