CVE-2024-1894

Name of the Vulnerable Software and Affected Versions Burst Statistics – Privacy-Friendly Analytics for WordPress plugin versions up to, and including, 1.5.6.1

Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes, specifically via the burst total pageviews count custom meta field. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page, provided the victim has the 'Show Toolbar when viewing site' option enabled in their profile.

Recommendations For versions up to, and including, 1.5.6.1, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the burst total pageviews count custom meta field until a patch is available. Additionally, disabling the 'Show Toolbar when viewing site' option in user profiles can minimize the risk of exploitation.