CVE-2024-1894
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that this exploit only functions if the victim has the 'Show Toolbar when viewing site' option enabled in their profile.
We have discovered 7,175 live websites that are affected by CVE-2024-1894.
Affected Software
| Product |  Burst Statistics |
| Category | Wordpress Plugins |
| Vulnerable Domains | 7,175 live websites (9.17% of Burst Statistics install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 35 versions ( 79.55% of all versions) |
Details
- Published - Mar 13, 2024
- Updated - Aug 1, 2024
Credits
- Craig Smith (finder)
CVE References
CVE-2024-1894 usage by Country
 United States | 1,771 websites |
 Germany | 1,274 websites |
 France | 644 websites |
 Netherlands | 372 websites |
 GB | 306 websites |
 Denmark | 234 websites |
 Spain | 202 websites |
 Italy | 199 websites |
 Brazil | 198 websites |
 Poland | 180 websites |
CVE-2024-1894 usage by TLD
| .com | 2,629 websites |
| .de | 715 websites |
| .nl | 378 websites |
| .fr | 276 websites |
| .com.br | 274 websites |
| .org | 271 websites |
| .co.uk | 194 websites |
| .it | 171 websites |
| .pl | 142 websites |
| .net | 138 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-1894
Top websites that are affected by CVE-2024-1894. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.de | United States | ***,*** | |
| **********.net | United States | ***,*** | |
| ***********.com |  India | ***,*** | |
| ******.org | United States | ***,*** | |
| ***************.com | United States | ***,*** | |
| *********.fr | France | ***,*** | |
| *********.com | Netherlands | ***,*** | |
| ***********.com | Netherlands | ***,*** | |
| ********.com | United States | ***,*** | |
| ***************.com |  South Africa | ***,*** |
FAQ
A total of 7,175 websites have been identified as vulnerable to CVE-2024-1894, discovered through global website indexing conducted by WebTechSurvey.
Burst Statistics is susceptible to CVE-2024-1894 vulnerability.
Burst Statistics versions before, and including, 1.5.6.1 are vulnerable to CVE-2024-1894.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fa587df5-9d96-4cac-ae5d-2a0485a3a789?source=cve
- https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67
- https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L74
- https://plugins.trac.wordpress.org/changeset?old_path=/burst-statistics/tags/1.5.6.1&old=3049793&new_path=/burst-statistics/tags/1.5.7&new=3049793&sfp_email=&sfph_mail=