CVE-2024-0405 — HIGH (7.2) — White Hats Nepal

Q: How severe is CVE-2024-0405?

CVE-2024-0405 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-0405?

Check the references section above for vendor advisories and patch information. Affected products include: Burst-Statistics Burst Statistics.

Vulnerability Description

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Burst-Statistics	Burst Statistics	< 1.5.3

Related Weaknesses (CWE)

CWE-89

References

https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/claIssue Tracking
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/claIssue Tracking
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&newPatch
https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6eThird Party Advisory
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/claIssue Tracking
https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/claIssue Tracking
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&newPatch
https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6eThird Party Advisory

FAQ

What is CVE-2024-0405?

CVE-2024-0405 is a vulnerability with a CVSS score of 7.2 (HIGH). The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/comp...

How severe is CVE-2024-0405?

CVE-2024-0405 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-0405?

Check the references section above for vendor advisories and patch information. Affected products include: Burst-Statistics Burst Statistics.