Burst Statistics – Privacy-Friendly Analytics for WordPress, CVE-2024-0405

CVE, Research URL: CVE-2024-0405
Home page URL: Security reports for Burst Statistics – Privacy-Friendly Analytics for WordPress
Application: Burst Statistics – Privacy-Friendly Analytics for WordPress
Published on: Jan 17, 2024
Research Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Affected versions: Min -, max 1.5.4.
Status: vulnerable

Burst Statistics &#8211; Privacy-Friendly Analytics for WordPress, CVE-2024-0405