CVE-2024-0405: 
WordPress vulnerability analysis and mitigation

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin version 1.5.3 contains a Post-Authenticated SQL Injection vulnerability (CVE-2024-0405). The vulnerability exists in the /wp-json/burst/v1/data/compare endpoint, affecting multiple JSON parameters including 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This security issue was discovered and reported by Wordfence (Wordfence Advisory).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation in SQL queries. The affected endpoint /wp-json/burst/v1/data/compare processes multiple JSON parameters without proper sanitization. The CVSS v3.1 scores vary between sources, with NVD rating it at 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and Wordfence rating it at 7.2 HIGH (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

When exploited, this vulnerability allows authenticated attackers with editor access or higher to append additional SQL queries into existing ones. This could potentially lead to unauthorized access to sensitive information stored in the database (NVD).

Users should update to a version newer than 1.5.3 of the Burst Statistics plugin. A patch has been released to address this vulnerability (WordPress Plugin).