Vulnerabilities and security researches forburst-statistics burst-statistics

Jun 06, 2024

CVE, Research URL: CVE-2023-5761
Home page URL: Security reports for Burst Statistics – Privacy-Friendly Analytics for WordPress
Application: Burst Statistics – Privacy-Friendly Analytics for WordPress
Date: Dec 07, 2023
Research Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-1894
Home page URL: Security reports for Burst Statistics – Privacy-Friendly Analytics for WordPress
Application: Burst Statistics – Privacy-Friendly Analytics for WordPress
Date: Mar 13, 2024
Research Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the 'Show Toolbar when viewing site' option enabled in their profile.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-0405
Home page URL: Security reports for Burst Statistics – Privacy-Friendly Analytics for WordPress
Application: Burst Statistics – Privacy-Friendly Analytics for WordPress
Date: Jan 17, 2024
Research Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

Jul 03, 2025

CVE, Research URL: CVE-2025-53193
Home page URL: Security reports for Burst Statistics – Privacy-Friendly Analytics for WordPress
Application: Burst Statistics – Privacy-Friendly Analytics for WordPress
Date: Jun 27, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6.
Affected versions: Min -, max -.
Status: vulnerable