CVE-2024-0405 is a high-severity SQL Injection vulnerability affecting the WordPress plugin 'Burst Statistics – Privacy-Friendly Analytics' developed by rogierlankhorst. The vulnerability exists in version 1.5.3 and potentially all versions, due to improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the flaw is located in the /wp-json/burst/v1/data/compare REST API endpoint, which accepts multiple JSON parameters such as 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. These parameters are insufficiently sanitized and escaped before being incorporated into SQL queries, allowing an authenticated attacker with editor-level or higher privileges to inject arbitrary SQL code. This post-authentication SQL injection enables the attacker to append additional SQL queries, potentially leading to unauthorized disclosure, modification, or deletion of sensitive data stored in the WordPress database. The vulnerability does not require user interaction but does require elevated privileges (editor or higher), which limits the attack surface to users who already have some level of trusted access. The CVSS v3.1 score is 7.2 (high), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet, and no official patches are linked at this time. The root cause is the lack of prepared statements or parameterized queries and inadequate input validation in the plugin's backend code handling the REST API parameters.

For European organizations using WordPress websites with the vulnerable Burst Statistics plugin installed, this vulnerability poses a significant risk. An attacker who has obtained editor or higher credentials—potentially through phishing, credential reuse, or insider threat—can exploit this flaw to execute arbitrary SQL commands. This can lead to unauthorized access to sensitive customer data, analytics data, or other confidential information stored in the WordPress database. The attacker could also modify or delete data, impacting data integrity and availability of the analytics service. Given the GDPR and other stringent data protection regulations in Europe, such a breach could result in regulatory penalties, reputational damage, and loss of customer trust. The vulnerability's exploitation could also be a stepping stone for further lateral movement or privilege escalation within the affected organization's IT environment. Since WordPress is widely used across Europe for business and governmental websites, the potential impact is broad, especially for sectors relying on privacy-friendly analytics and data-driven decision-making.

European organizations should immediately audit their WordPress installations to identify the presence of the Burst Statistics plugin, especially version 1.5.3 or earlier. Until an official patch is released, the following mitigations are recommended: 1) Restrict editor and higher privileges strictly to trusted personnel and review user roles to minimize the number of users who can exploit this vulnerability. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the /wp-json/burst/v1/data/compare endpoint. 3) Disable or remove the Burst Statistics plugin if it is not essential to reduce the attack surface. 4) Monitor logs for unusual database queries or REST API calls that could indicate exploitation attempts. 5) Employ database activity monitoring tools to detect anomalous SQL commands. 6) Once a patch is available, prioritize immediate plugin updates. 7) Educate administrators and editors on secure credential management to prevent unauthorized access. 8) Consider isolating WordPress instances and applying the principle of least privilege to database accounts used by the plugin to limit potential damage from SQL injection.