CVE-2024-0405: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in rogierlankhorst Burst Statistics – Privacy-Friendly Analytics for WordPress
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
AI Analysis
Technical Summary
CVE-2024-0405 is a high-severity SQL Injection vulnerability affecting the WordPress plugin 'Burst Statistics – Privacy-Friendly Analytics' developed by rogierlankhorst. The vulnerability exists in version 1.5.3 and potentially all versions, due to improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the flaw is located in the /wp-json/burst/v1/data/compare REST API endpoint, which accepts multiple JSON parameters such as 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. These parameters are insufficiently sanitized and escaped before being incorporated into SQL queries, allowing an authenticated attacker with editor-level or higher privileges to inject arbitrary SQL code. This post-authentication SQL injection enables the attacker to append additional SQL queries, potentially leading to unauthorized disclosure, modification, or deletion of sensitive data stored in the WordPress database. The vulnerability does not require user interaction but does require elevated privileges (editor or higher), which limits the attack surface to users who already have some level of trusted access. The CVSS v3.1 score is 7.2 (high), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, and no official patches are linked at this time. The root cause is the lack of prepared statements or parameterized queries and inadequate input validation in the plugin's backend code handling the REST API parameters.
Potential Impact
For European organizations using WordPress websites with the vulnerable Burst Statistics plugin installed, this vulnerability poses a significant risk. An attacker who has obtained editor or higher credentials—potentially through phishing, credential reuse, or insider threat—can exploit this flaw to execute arbitrary SQL commands. This can lead to unauthorized access to sensitive customer data, analytics data, or other confidential information stored in the WordPress database. The attacker could also modify or delete data, impacting data integrity and availability of the analytics service. Given the GDPR and other stringent data protection regulations in Europe, such a breach could result in regulatory penalties, reputational damage, and loss of customer trust. The vulnerability's exploitation could also be a stepping stone for further lateral movement or privilege escalation within the affected organization's IT environment. Since WordPress is widely used across Europe for business and governmental websites, the potential impact is broad, especially for sectors relying on privacy-friendly analytics and data-driven decision-making.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Burst Statistics plugin, especially version 1.5.3 or earlier. Until an official patch is released, the following mitigations are recommended: 1) Restrict editor and higher privileges strictly to trusted personnel and review user roles to minimize the number of users who can exploit this vulnerability. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /wp-json/burst/v1/data/compare endpoint. 3) Disable or remove the Burst Statistics plugin if it is not essential to reduce the attack surface. 4) Monitor logs for unusual database queries or REST API calls that could indicate exploitation attempts. 5) Employ database activity monitoring tools to detect anomalous SQL commands. 6) Once a patch is available, prioritize immediate plugin updates. 7) Educate administrators and editors on secure credential management to prevent unauthorized access. 8) Consider isolating WordPress instances and applying the principle of least privilege to database accounts used by the plugin to limit potential damage from SQL injection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2024-0405: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in rogierlankhorst Burst Statistics – Privacy-Friendly Analytics for WordPress
Description
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
AI-Powered Analysis
Technical Analysis
CVE-2024-0405 is a high-severity SQL Injection vulnerability affecting the WordPress plugin 'Burst Statistics – Privacy-Friendly Analytics' developed by rogierlankhorst. The vulnerability exists in version 1.5.3 and potentially all versions, due to improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the flaw is located in the /wp-json/burst/v1/data/compare REST API endpoint, which accepts multiple JSON parameters such as 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. These parameters are insufficiently sanitized and escaped before being incorporated into SQL queries, allowing an authenticated attacker with editor-level or higher privileges to inject arbitrary SQL code. This post-authentication SQL injection enables the attacker to append additional SQL queries, potentially leading to unauthorized disclosure, modification, or deletion of sensitive data stored in the WordPress database. The vulnerability does not require user interaction but does require elevated privileges (editor or higher), which limits the attack surface to users who already have some level of trusted access. The CVSS v3.1 score is 7.2 (high), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, and no official patches are linked at this time. The root cause is the lack of prepared statements or parameterized queries and inadequate input validation in the plugin's backend code handling the REST API parameters.
Potential Impact
For European organizations using WordPress websites with the vulnerable Burst Statistics plugin installed, this vulnerability poses a significant risk. An attacker who has obtained editor or higher credentials—potentially through phishing, credential reuse, or insider threat—can exploit this flaw to execute arbitrary SQL commands. This can lead to unauthorized access to sensitive customer data, analytics data, or other confidential information stored in the WordPress database. The attacker could also modify or delete data, impacting data integrity and availability of the analytics service. Given the GDPR and other stringent data protection regulations in Europe, such a breach could result in regulatory penalties, reputational damage, and loss of customer trust. The vulnerability's exploitation could also be a stepping stone for further lateral movement or privilege escalation within the affected organization's IT environment. Since WordPress is widely used across Europe for business and governmental websites, the potential impact is broad, especially for sectors relying on privacy-friendly analytics and data-driven decision-making.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Burst Statistics plugin, especially version 1.5.3 or earlier. Until an official patch is released, the following mitigations are recommended: 1) Restrict editor and higher privileges strictly to trusted personnel and review user roles to minimize the number of users who can exploit this vulnerability. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /wp-json/burst/v1/data/compare endpoint. 3) Disable or remove the Burst Statistics plugin if it is not essential to reduce the attack surface. 4) Monitor logs for unusual database queries or REST API calls that could indicate exploitation attempts. 5) Employ database activity monitoring tools to detect anomalous SQL commands. 6) Once a patch is available, prioritize immediate plugin updates. 7) Educate administrators and editors on secure credential management to prevent unauthorized access. 8) Consider isolating WordPress instances and applying the principle of least privilege to database accounts used by the plugin to limit potential damage from SQL injection.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-10T17:00:07.732Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683dbfa6182aa0cae2498300
Added to database: 6/2/2025, 3:13:42 PM
Last enriched: 7/3/2025, 5:01:22 PM
Last updated: 8/1/2025, 1:41:56 PM
Views: 14
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.