CVE-2023-5761: 
WordPress vulnerability analysis and mitigation

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin is affected by an SQL Injection vulnerability (CVE-2023-5761) discovered in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro). The vulnerability was publicly disclosed on December 6, 2023, and affects the plugin's handling of the 'url' parameter (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. Specifically, the 'url' parameter is not properly sanitized and escaped before being used in SQL statements. The vulnerability has received a CVSS v3.1 score of 9.8 (Critical) from Wordfence and 7.5 (High) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (WPScan).

This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. The high severity rating indicates significant potential impact on data confidentiality (NVD).

Users are advised to update to version 1.5.0 for the free version or version 1.5.1 for the pro version of the Burst Statistics plugin. These versions contain patches that address the SQL injection vulnerability (WPScan).