Search criteria
4 vulnerabilities found for Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) by burstbv
CVE-2024-1894 (GCVE-0-2024-1894)
Vulnerability from nvd – Published: 2024-03-13 15:27 – Updated: 2026-04-08 17:34
VLAI?
Title
Burst Statistics – Privacy-Friendly Analytics for WordPress <= 1.5.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
Summary
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the 'Show Toolbar when viewing site' option enabled in their profile.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burstbv | Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) |
Affected:
0 , ≤ 1.5.6.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T19:24:18.810283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:05.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.716Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa587df5-9d96-4cac-ae5d-2a0485a3a789?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L74"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/burst-statistics/tags/1.5.6.1\u0026old=3049793\u0026new_path=/burst-statistics/tags/1.5.7\u0026new=3049793\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Burst Statistics \u2013 Privacy-Friendly WordPress Analytics (Google Analytics Alternative)",
"vendor": "burstbv",
"versions": [
{
"lessThanOrEqual": "1.5.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027burst_total_pageviews_count\u0027 custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the \u0027Show Toolbar when viewing site\u0027 option enabled in their profile."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:22.170Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa587df5-9d96-4cac-ae5d-2a0485a3a789?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/burst-statistics/tags/1.5.6.1\u0026old=3049793\u0026new_path=/burst-statistics/tags/1.5.7\u0026new=3049793\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress \u003c= 1.5.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1894",
"datePublished": "2024-03-13T15:27:26.563Z",
"dateReserved": "2024-02-26T16:20:23.811Z",
"dateUpdated": "2026-04-08T17:34:22.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0405 (GCVE-0-2024-0405)
Vulnerability from nvd – Published: 2024-01-17 04:32 – Updated: 2026-04-08 17:29
VLAI?
Title
Burst Statistics Really Simple Plugins <= 1.5.3 - Authenticated (Editor+) SQL Injection
Summary
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burstbv | Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) |
Affected:
0 , ≤ 1.5.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3020809%40burst-statistics%2Ftrunk\u0026old=3012004%40burst-statistics%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:47:02.470760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:06:30.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Burst Statistics \u2013 Privacy-Friendly WordPress Analytics (Google Analytics Alternative)",
"vendor": "burstbv",
"versions": [
{
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Spiridonov"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include \u0027browser\u0027, \u0027device\u0027, \u0027page_id\u0027, \u0027page_url\u0027, \u0027platform\u0027, and \u0027referrer\u0027. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:23.394Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3020809%40burst-statistics%2Ftrunk\u0026old=3012004%40burst-statistics%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Burst Statistics Really Simple Plugins \u003c= 1.5.3 - Authenticated (Editor+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0405",
"datePublished": "2024-01-17T04:32:16.771Z",
"dateReserved": "2024-01-10T17:00:07.732Z",
"dateUpdated": "2026-04-08T17:29:23.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1894 (GCVE-0-2024-1894)
Vulnerability from cvelistv5 – Published: 2024-03-13 15:27 – Updated: 2026-04-08 17:34
VLAI?
Title
Burst Statistics – Privacy-Friendly Analytics for WordPress <= 1.5.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
Summary
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the 'Show Toolbar when viewing site' option enabled in their profile.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burstbv | Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) |
Affected:
0 , ≤ 1.5.6.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T19:24:18.810283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:05.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.716Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa587df5-9d96-4cac-ae5d-2a0485a3a789?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L74"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/burst-statistics/tags/1.5.6.1\u0026old=3049793\u0026new_path=/burst-statistics/tags/1.5.7\u0026new=3049793\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Burst Statistics \u2013 Privacy-Friendly WordPress Analytics (Google Analytics Alternative)",
"vendor": "burstbv",
"versions": [
{
"lessThanOrEqual": "1.5.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027burst_total_pageviews_count\u0027 custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the \u0027Show Toolbar when viewing site\u0027 option enabled in their profile."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:22.170Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa587df5-9d96-4cac-ae5d-2a0485a3a789?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/burst-statistics/tags/1.5.6.1\u0026old=3049793\u0026new_path=/burst-statistics/tags/1.5.7\u0026new=3049793\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress \u003c= 1.5.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1894",
"datePublished": "2024-03-13T15:27:26.563Z",
"dateReserved": "2024-02-26T16:20:23.811Z",
"dateUpdated": "2026-04-08T17:34:22.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0405 (GCVE-0-2024-0405)
Vulnerability from cvelistv5 – Published: 2024-01-17 04:32 – Updated: 2026-04-08 17:29
VLAI?
Title
Burst Statistics Really Simple Plugins <= 1.5.3 - Authenticated (Editor+) SQL Injection
Summary
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burstbv | Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) |
Affected:
0 , ≤ 1.5.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3020809%40burst-statistics%2Ftrunk\u0026old=3012004%40burst-statistics%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:47:02.470760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:06:30.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Burst Statistics \u2013 Privacy-Friendly WordPress Analytics (Google Analytics Alternative)",
"vendor": "burstbv",
"versions": [
{
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Spiridonov"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Burst Statistics \u2013 Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include \u0027browser\u0027, \u0027device\u0027, \u0027page_id\u0027, \u0027page_url\u0027, \u0027platform\u0027, and \u0027referrer\u0027. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:23.394Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e349f07d-a520-4700-a6e0-25e68c1deeae?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L380"
},
{
"url": "https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/statistics/class-statistics.php?rev=3011996#L926"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3020809%40burst-statistics%2Ftrunk\u0026old=3012004%40burst-statistics%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Burst Statistics Really Simple Plugins \u003c= 1.5.3 - Authenticated (Editor+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0405",
"datePublished": "2024-01-17T04:32:16.771Z",
"dateReserved": "2024-01-10T17:00:07.732Z",
"dateUpdated": "2026-04-08T17:29:23.394Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}