Skip to main content

CVE-2024-0405: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in rogierlankhorst Burst Statistics – Privacy-Friendly Analytics for WordPress

High
VulnerabilityCVE-2024-0405cvecve-2024-0405cwe-89
Published: Wed Jan 17 2024 (01/17/2024, 04:32:16 UTC)
Source: CVE Database V5
Vendor/Project: rogierlankhorst
Product: Burst Statistics – Privacy-Friendly Analytics for WordPress

Description

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.

AI-Powered Analysis

AILast updated: 07/03/2025, 17:01:22 UTC

Technical Analysis

CVE-2024-0405 is a high-severity SQL Injection vulnerability affecting the WordPress plugin 'Burst Statistics – Privacy-Friendly Analytics' developed by rogierlankhorst. The vulnerability exists in version 1.5.3 and potentially all versions, due to improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the flaw is located in the /wp-json/burst/v1/data/compare REST API endpoint, which accepts multiple JSON parameters such as 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. These parameters are insufficiently sanitized and escaped before being incorporated into SQL queries, allowing an authenticated attacker with editor-level or higher privileges to inject arbitrary SQL code. This post-authentication SQL injection enables the attacker to append additional SQL queries, potentially leading to unauthorized disclosure, modification, or deletion of sensitive data stored in the WordPress database. The vulnerability does not require user interaction but does require elevated privileges (editor or higher), which limits the attack surface to users who already have some level of trusted access. The CVSS v3.1 score is 7.2 (high), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, and no official patches are linked at this time. The root cause is the lack of prepared statements or parameterized queries and inadequate input validation in the plugin's backend code handling the REST API parameters.

Potential Impact

For European organizations using WordPress websites with the vulnerable Burst Statistics plugin installed, this vulnerability poses a significant risk. An attacker who has obtained editor or higher credentials—potentially through phishing, credential reuse, or insider threat—can exploit this flaw to execute arbitrary SQL commands. This can lead to unauthorized access to sensitive customer data, analytics data, or other confidential information stored in the WordPress database. The attacker could also modify or delete data, impacting data integrity and availability of the analytics service. Given the GDPR and other stringent data protection regulations in Europe, such a breach could result in regulatory penalties, reputational damage, and loss of customer trust. The vulnerability's exploitation could also be a stepping stone for further lateral movement or privilege escalation within the affected organization's IT environment. Since WordPress is widely used across Europe for business and governmental websites, the potential impact is broad, especially for sectors relying on privacy-friendly analytics and data-driven decision-making.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations to identify the presence of the Burst Statistics plugin, especially version 1.5.3 or earlier. Until an official patch is released, the following mitigations are recommended: 1) Restrict editor and higher privileges strictly to trusted personnel and review user roles to minimize the number of users who can exploit this vulnerability. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /wp-json/burst/v1/data/compare endpoint. 3) Disable or remove the Burst Statistics plugin if it is not essential to reduce the attack surface. 4) Monitor logs for unusual database queries or REST API calls that could indicate exploitation attempts. 5) Employ database activity monitoring tools to detect anomalous SQL commands. 6) Once a patch is available, prioritize immediate plugin updates. 7) Educate administrators and editors on secure credential management to prevent unauthorized access. 8) Consider isolating WordPress instances and applying the principle of least privilege to database accounts used by the plugin to limit potential damage from SQL injection.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2024-01-10T17:00:07.732Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683dbfa6182aa0cae2498300

Added to database: 6/2/2025, 3:13:42 PM

Last enriched: 7/3/2025, 5:01:22 PM

Last updated: 8/1/2025, 1:41:56 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats