The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, widely used for privacy-conscious website analytics, contains a critical SQL Injection vulnerability identified as CVE-2024-0405. This vulnerability exists in version 1.5.3 and possibly all prior versions due to insufficient neutralization of special characters in SQL commands. Specifically, multiple JSON parameters ('browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer') accepted by the /wp-json/burst/v1/data/compare REST API endpoint are not properly escaped or parameterized before being incorporated into SQL queries. This improper handling allows an attacker with authenticated editor-level or higher access to append arbitrary SQL statements to legitimate queries. The vulnerability leverages CWE-89, which is the improper neutralization of special elements used in SQL commands, commonly known as SQL Injection. The CVSS 3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, required privileges at the editor level, no user interaction, and high impact on confidentiality, integrity, and availability. Successful exploitation can lead to unauthorized data access, data manipulation, or denial of service by corrupting database contents. The vulnerability affects all versions of the plugin, and no official patches or updates have been linked yet. The flaw is particularly dangerous because it exploits a REST API endpoint, which is accessible remotely, and the required privileges are common among WordPress site editors, increasing the attack surface. While no active exploitation has been reported, the presence of this vulnerability in a popular WordPress plugin makes it a significant concern for website administrators.

The impact of CVE-2024-0405 is substantial for organizations using the Burst Statistics plugin on WordPress sites. Attackers with editor-level access can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized disclosure of sensitive analytics data, user information, or other database contents. This can result in data breaches, loss of user trust, and regulatory compliance violations, especially for sites handling personal or sensitive data. Additionally, attackers could modify or delete data, disrupting analytics functionality or causing denial of service. Since the vulnerability affects a REST API endpoint, it can be exploited remotely over the internet, increasing the risk of widespread attacks. Organizations relying on this plugin for privacy-friendly analytics may face operational disruptions and reputational damage if exploited. The requirement for editor-level privileges somewhat limits the attacker pool but does not eliminate risk, as compromised or malicious insiders can leverage this flaw. The vulnerability also raises concerns about the overall security posture of the plugin and the need for secure coding practices in WordPress extensions.

To mitigate CVE-2024-0405, organizations should first check for any official patches or updates from the plugin vendor and apply them immediately once available. In the absence of a patch, temporarily disabling the Burst Statistics plugin can prevent exploitation. Restrict editor-level access strictly to trusted users and audit user roles to minimize the risk of insider threats. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /wp-json/burst/v1/data/compare endpoint. Review and harden REST API permissions to limit access to sensitive endpoints. Conduct code review and implement parameterized queries or prepared statements in the plugin code to ensure proper input sanitization. Monitor logs for unusual database queries or API requests indicative of exploitation attempts. Additionally, consider isolating the WordPress environment and database with least privilege principles to reduce the blast radius of potential attacks. Regularly backup website data and test restoration procedures to recover quickly from any compromise. Finally, educate site administrators about the risks of granting elevated privileges and encourage prompt updates of all WordPress plugins.