CVE-2024-0405 in Burst Statistics Really Simple Plugin
Summary
by MITRE • 01/17/2024
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified in CVE-2024-0405 affects the Burst Statistics – Privacy-Friendly Analytics for WordPress plugin at version 1.5.3, presenting a significant security risk through a post-authenticated SQL injection flaw. This weakness specifically manifests within the /wp-json/burst/v1/data/compare endpoint which processes multiple JSON parameters including browser, device, page_id, page_url, platform, and referrer. The vulnerability stems from inadequate input validation and sanitization practices within the plugin's codebase, creating an exploitable condition where maliciously crafted payloads can be injected into SQL queries executed by the WordPress application. The flaw represents a direct violation of secure coding principles and falls under the category of CWE-89 SQL Injection as defined by the Common Weakness Enumeration standard.
The technical implementation of this vulnerability allows authenticated users with editor privileges or higher to manipulate the SQL query execution flow by appending additional SQL commands to existing queries through the vulnerable JSON parameters. This occurs because user-supplied input values are not properly escaped or parameterized before being incorporated into database queries, enabling attackers to inject malicious SQL syntax that can alter the intended query behavior. The attack vector specifically targets the REST API endpoint within the WordPress ecosystem, leveraging the plugin's legitimate data retrieval functionality to execute unauthorized database operations. This type of attack aligns with the ATT&CK technique T1078 Valid Accounts, as it requires pre-existing authentication credentials to exploit the vulnerability.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the capability to extract sensitive information from the WordPress database including user credentials, configuration details, and potentially other stored data. The authenticated nature of the attack means that attackers do not require administrative privileges to exploit this weakness, making it particularly dangerous within environments where multiple users have editor-level access. Successful exploitation could lead to complete database compromise, enabling attackers to perform unauthorized data manipulation, information disclosure, and potentially establish persistent access within the WordPress environment. The vulnerability also represents a significant risk to privacy and data integrity, especially considering the plugin's focus on analytics data collection.
Mitigation strategies for CVE-2024-0405 should prioritize immediate patching of the affected plugin version to the latest available release that addresses the SQL injection vulnerability. System administrators should implement additional security controls including input validation at multiple layers, proper parameterization of all database queries, and regular security auditing of WordPress plugins and themes. The principle of least privilege should be enforced by limiting user access rights to only those necessary for their role, reducing the attack surface available to potential exploiters. Network monitoring and intrusion detection systems should be configured to identify suspicious API request patterns that may indicate exploitation attempts. Organizations should also consider implementing web application firewalls and database activity monitoring to detect and prevent unauthorized SQL injection attempts. Regular security assessments and vulnerability scanning of WordPress installations remain critical for identifying similar weaknesses that could be exploited through different attack vectors.