Burst Statistics Vulnerability – Authenticated Stored Cross-Site Scripting via burst_total_pageviews_count – CVE-2024-1894 | WordPress Plugin Vulnerability Report

Plugin Name: Burst Statistics – Privacy-Friendly Analytics for WordPress

Key Information:

  • Software Type: Plugin
  • Software Slug: burst-statistics
  • Software Status: Active
  • Software Author: rogierlankhorst
  • Software Downloads: 1,792,011
  • Active Installs: 100,000
  • Last Updated: March 14, 2024
  • Patched Versions: 1.5.7
  • Affected Versions: <=

Vulnerability Details:

  • Name: Burst Statistics – Privacy-Friendly Analytics for WordPress <=
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1894
  • CVSS Score: 6.4
  • Publicly Published: March 12, 2024
  • Researcher: Webbernaut
  • Description: The Burst Statistics plugin is at risk from a Stored Cross-Site Scripting vulnerability within the 'burst_total_pageviews_count' custom meta field due to inadequate input sanitization and output escaping. This flaw permits authenticated users with contributor-level access or higher to execute arbitrary web scripts on affected pages, provided the target has enabled the 'Show Toolbar when viewing site' option in their profile.


The Burst Statistics plugin, which offers privacy-friendly analytics for WordPress sites, has been found vulnerable in versions up to The vulnerability, cataloged under CVE-2024-1894, exposes sites to Stored Cross-Site Scripting attacks via a specific custom meta field, risking site integrity and user data. The developers have released a patch in version 1.5.7 to address this security issue.

Detailed Overview:

Identified by security expert Webbernaut, this vulnerability underscores the importance of comprehensive input validation and encoding in web development, especially for plugins handling user-generated content. The potential for malicious script injection by users with even minimal privileges highlights the need for strict security measures in plugin development and user permissions management on WordPress sites.

Advice for Users:

  • Immediate Action: It's imperative to update the Burst Statistics plugin to the latest patched version, 1.5.7, promptly via the WordPress dashboard.
  • Check for Signs of Vulnerability: Administrators should monitor their sites for unusual script executions or content changes, particularly where the affected widget is deployed, as these may signal exploitation.
  • Alternate Plugins: While the updated version is secure, exploring other analytics plugins that prioritize privacy and security might be beneficial for those seeking additional features or assurances.
  • Stay Updated: Regularly updating all WordPress components, including plugins, themes, and the core system, remains crucial in defending against known vulnerabilities and ensuring optimal website performance and security.


The resolution of CVE-2024-1894 in the Burst Statistics plugin is a critical reminder of the constant vigilance required in the digital domain. For WordPress site administrators, particularly those overseeing small business websites with limited technical resources, the proactive management of software updates and adherence to security best practices are key in protecting digital assets against evolving cyber threats.


  • Wordfence Vulnerability Report on Burst Statistics
  • Additional Information on Burst Statistics Vulnerabilities


In the ever-evolving landscape of website security, vigilance remains the beacon for safeguarding digital assets. The discovery of a vulnerability within the "Burst Statistics – Privacy-Friendly Analytics for WordPress" plugin underscores the critical importance of staying current with software updates and highlights the potential risks posed by security oversights.

About the Plugin

"Burst Statistics" serves as a tool for WordPress users seeking privacy-friendly analytics solutions. Developed by rogierlankhorst, this plugin has seen over 1.7 million downloads, with an active installation base of 100,000 sites. It's an essential asset for site owners who value user privacy while gathering insightful data.

Potential Risks

This security flaw opens doors to unauthorized script executions, potentially compromising sensitive data and undermining the integrity of affected websites. It emphasizes the need for robust input sanitization measures and highlights the dangers of insufficient security practices.

Remediation Steps

To mitigate the risk, it's imperative that users promptly update to version 1.5.7 of the Burst Statistics plugin. Regularly reviewing site activities for unusual changes and considering alternative solutions that maintain a strong emphasis on privacy and security can further enhance protections.

Historical Context

This plugin has encountered vulnerabilities in the past, with 5 incidents reported since April 13, 2021. Each event serves as a learning opportunity, driving improvements in security protocols and awareness.

The Importance of Proactive Security

The resolution of CVE-2024-1894 serves as a stark reminder of the ongoing need for vigilance in the face of cybersecurity threats. For small business owners and WordPress site administrators, particularly those with limited IT support, the commitment to regular software updates and security best practices is non-negotiable. It is the foundation upon which the security and reliability of online platforms are built, ensuring the protection of both digital assets and user trust.

Staying Informed

Keeping abreast of the latest security advisories and leveraging resources like the Wordfence Vulnerability Report can provide invaluable insights, helping to navigate the complexities of website security. In a digital age where threats continually evolve, knowledge and prompt action are your best defenses.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Burst Statistics Vulnerability – Authenticated Stored Cross-Site Scripting via burst_total_pageviews_count – CVE-2024-1894 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment