CVE-2026-22850 - Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics...

CVE ID : CVE-2026-22850 Published : Jan. 19, 2026, 5:15 p.m. | 58 minutes ago Description : Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as