CVE-2023-5041

Name of the Vulnerable Software and Affected Versions The Track The Click WordPress plugin versions prior to 0.3.12

Description The issue arises from the plugin's failure to properly sanitize query parameters to the stats REST endpoint before using them in a database query. This allows a logged-in user with an author role or higher to perform time-based blind SQLi attacks on the database. Approximately 1,178 devices are potentially affected, mainly distributed in the United States and Germany.

Recommendations For versions prior to 0.3.12, update to version 0.3.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the stats REST endpoint until a patch is applied. Additionally, limiting the privileges of users with an author role or higher can help minimize the risk of exploitation.