WordPress Plugin Vulnerability Report – Burst Statistics and Burst Statistics Pro – Unauthenticated SQL Injection – CVE-2023-5761

Plugin Name: Burst Statistics and Burst Statistics Pro

Key Information:

  • Software Type: Plugin
  • Software Slug: burst-statistics
  • Software Status: Active
  • Software Author: rogierlankhorst
  • Software Downloads: 1,201,064
  • Active Installs: 100,000
  • Last Updated: December 6, 2023
  • Patched Versions (Burst Statistics): 1.4.0 - 1.4.6.1
  • Affected Versions (Burst Statistics): 1.5.0
  • Patched Versions (Burst Statistics Pro): 1.4.0 - 1.5.0
  • Affected Versions (Burst Statistics Pro): 1.5.1

Vulnerability Details:

  • Name: Burst Statistics – Privacy-Friendly Analytics for WordPress 1.4.0 to 1.4.6.1 - Unauthenticated SQL Injection
  • Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CVE: CVE-2023-5761
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: December 6, 2023
  • Researcher: German Ritter
  • Description: The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Summary:

The Burst Statistics and Burst Statistics Pro plugin for WordPress has a vulnerability in versions up to and including 1.5.1 that allows unauthenticated SQL injection. This vulnerability has been patched in version 1.4.0 - 1.4.6.1 (Burst Statistics) and 1.4.0 - 1.5.0 (Burst Statistics Pro).

Detailed Overview:

The vulnerability exists due to insufficient escaping on the user supplied 'url' parameter and lack of sufficient preparation on the existing SQL query. This allows unauthenticated attackers to append additional SQL queries that can extract sensitive information from the database. The vulnerability was discovered by researcher German Ritter and publicly disclosed on December 6, 2023. It affects 100,000+ active installations of the plugin.

Advice for Users:

  1. Immediate Action: Update to Burst Statistics version 1.4.6.1 or below, or Burst Statistics Pro version 1.5.0 or below.
  2. Check for Signs of Vulnerability: Review web server logs for suspicious requests targeting the 'url' parameter.
  3. Alternate Plugins: Consider privacy-focused analytics plugins like Simple Analytics or Fathom Analytics.
  4. Stay Updated: Always keep plugins updated and sign up for vulnerability notifications.

Conclusion:

This critical SQL injection vulnerability allows unauthenticated database access and information disclosure. Users should update immediately to the patched versions to secure their WordPress sites. Prompt patching by the developer addresses the issue for current users.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/burst-statistics

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/burst-statistics/burst-statistics-privacy-friendly-analytics-for-wordpress-140-to-1461-unauthenticated-sql-injection

Detailed Report:

WordPress powers millions of small business websites, yet security upkeep often gets deprioritized for time-strapped owners. Unfortunately overlook vulnerabilities can have serious consequences - case in point, the popular Burst Statistics privacy analytics plugin. A critical flaw disclosed this week allows unauthenticated access to extract sensitive database contents on over 100,000 sites. Developers have addressed this specific issue, but other outdated plugins likely harbor undiscovered vulnerabilities that attackers could exploit if unpatched proactively.

What is the Burst Statistics Plugin?

With over 1.2 million downloads, Burst Statistics delivers privacy-focused analytics while being GDPR, CCPA and PECR compliant. Data stays on your server, no external tracker connections. Many site owners value these capabilities for their business.

Details of the Vulnerability

Researcher German Ritter discovered an SQL injection vulnerability allowing unauthenticated remote attackers to inject malicious SQL queries via the plugin's URL parameter input field. No authentication needed - meaning any external party could exploit this flaw to pull admin credentials, customer data, financial information and more from the WordPress database.

What’s the Risk of Leaving This Unpatched?

Beyond exposing sensitive internal data, the plugin flaw provides an initial foothold for attackers to leverage further up the technology stack into servers, backups and connected infrastructure - potentially placing entire businesses at risk at the hands of malicious hackers.

How Do I Remediate This Vulnerability?

Burst Statistics versions 1.4.6.1 and below (free) and Burst Statistics Pro versions 1.5.0 and below (premium) have addressed this vulnerability. Users should update to those patched releases or consider alternative analytics plugins not susceptible to this particular flaw such as Simple Analytics or Fathom.

Proactively Updating Defends Against Undiscovered Threats Too

While patching this current vulnerability closes the door on that specific exposure risk, updating upon release of new versions more broadly defends against flaws that exist but remain undiscovered in older plugin code. New feature code tends to introduce fresh bugs too. Staying on top of updates shrinks the window of exploitability for your site.

Ongoing Upkeep Brings Peace of Mind

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – Burst Statistics and Burst Statistics Pro – Unauthenticated SQL Injection – CVE-2023-5761 FAQs

Leave a Comment