プラットフォーム
wordpress
コンポーネント
burst-statistics
修正版
1.4.7
1.5.1
CVE-2023-5761 describes a critical SQL Injection vulnerability affecting the Burst Statistics – Privacy-Friendly Analytics for WordPress plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data extraction. The vulnerability impacts versions 1.4.0 through 1.5.0 of both the free and pro versions of the plugin. A patch is available to resolve this issue.
The SQL Injection vulnerability in Burst Statistics allows attackers to directly manipulate database queries. By injecting malicious SQL code through the 'url' parameter, an attacker can bypass security measures and gain access to sensitive information stored within the WordPress database. This could include user credentials, plugin configuration data, and potentially other sensitive application data. Successful exploitation could lead to complete database compromise and unauthorized access to the entire WordPress site. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority risk.
CVE-2023-5761 was publicly disclosed on December 7, 2023. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target for malicious actors. No public proof-of-concept exploits have been widely released, but the vulnerability's nature suggests that such exploits could be developed and deployed rapidly. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Burst Statistics plugin, particularly those running versions 1.4.0 through 1.5.0, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with weak database security configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/burst-statistics/• generic web:
curl -I 'https://your-wordpress-site.com/?url='; # Check for SQL injection attempts in the response headers.• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'burst-statistics'• wordpress / composer / npm:
wp plugin update burst-statisticsdisclosure
エクスプロイト状況
EPSS
0.51% (66% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2023-5761 is to immediately upgrade the Burst Statistics plugin to a patched version. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts targeting the 'url' parameter can provide an additional layer of defense. Review WordPress access logs for suspicious SQL queries originating from external sources. After upgrading, confirm the fix by attempting to inject a simple SQL query through the 'url' parameter and verifying that it is properly sanitized and does not execute.
Actualice el plugin Burst Statistics a la última versión disponible. La vulnerabilidad de inyección SQL permite a atacantes no autenticados extraer información sensible de la base de datos. La actualización corrige la falta de sanitización en el parámetro 'url'.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2023-5761 is a critical SQL Injection vulnerability affecting the Burst Statistics WordPress plugin versions 1.4.0–1.5.0, allowing attackers to extract sensitive data.
If you are using Burst Statistics WordPress plugin versions 1.4.0 through 1.5.0 (free or pro), you are potentially affected and should upgrade immediately.
Upgrade the Burst Statistics plugin to the latest available version. If upgrading is not possible, temporarily disable the plugin.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the Burst Statistics plugin's official website or WordPress plugin repository for the latest advisory and patch information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。