CVE-2024-0405
published 2024-01-17CVE-2024-0405: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.62%
45.3th percentile
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| burst-statistics | burst_statistics | < 1.5.3 | 1.5.3 |
| burstbv | burst_statistics_privacy-friendly_wordpress_analytics | <= 1.5.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Burst Statistics Really Simple Plugin up to 1.5.3 on WordPress sql injection
vuldb·2026-04-11·CVSS 7.2
CVE-2024-0405 [HIGH] Burst Statistics Really Simple Plugin up to 1.5.3 on WordPress sql injection
A vulnerability classified as critical was found in Burst Statistics Really Simple Plugin up to 1.5.3 on WordPress. This impacts an unknown function. The manipulation results in sql injection.
This vulnerability was named CVE-2024-0405. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-xhpq-8p2q-qgm6: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1
ghsa_unreviewed·2024-01-17
CVE-2024-0405 [HIGH] CWE-89 GHSA-xhpq-8p2q-qgm6: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Suricata
GPL FTP CWD overflow attempt
suricata·2010-09-23
CVE-1999-0219 GPL FTP CWD overflow attempt
GPL FTP CWD overflow attempt
Rule: alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:established,to_server; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:25; metadata:created_at 2010_09_23, cve CVE_1999_0219, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3020809%40burst-statistics%2Ftrunk&old=3012004%40burst-statistics%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cvehttps://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3020809%40burst-statistics%2Ftrunk&old=3012004%40burst-statistics%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve
2024-01-17
Published