CVE-2024-0405

Name of the Vulnerable Software and Affected Versions The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin version 1.5.3

Description The issue arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries, allowing authenticated attackers with editor access or higher to append additional SQL queries into existing ones. This can potentially lead to unauthorized access to sensitive information from the database. The vulnerability is exploited via multiple JSON parameters in the "/wp-json/burst/v1/data/compare" endpoint, including browser, device, page id, page url, platform, and referrer.

Recommendations For version 1.5.3, as a temporary workaround, consider disabling access to the "/wp-json/burst/v1/data/compare" endpoint until a patch is available. Restrict access to the affected parameters, including browser, device, page id, page url, platform, and referrer, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.