Skip to main content

Burst Statistics CVE-2026-8181

| EUVD-2026-30242 CRITICAL
Improper Authentication (CWE-287)
2026-05-14 security@wordfence.com GHSA-qv3x-rrx4-9pmh
Authentication Bypass Google Privilege Escalation WordPress
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:21 vuln.today
CVE Published
May 14, 2026 - 06:16 nvd
CRITICAL 9.8

DescriptionCVE.org

The Burst Statistics - Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the is_mainwp_authenticated() function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Articles & Coverage 1

POC CVE-2026-8181: Burst Statistics WordPress Plugin Authentication Bypass Allows Unauthenticated Admin Takeover (CVSS 9.8) May 15, 2026

AnalysisAI

Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the is_mainwp_authenticated() function used to validate application passwords from the Authorization header, enabling privilege escalation per request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress admin username
Delivery
Send request to MainWP proxy endpoint
Exploit
Supply Basic auth with arbitrary password
Execution
Bypass is_mainwp_authenticated() check
Persist
Execute request as administrator
Impact
Exfiltrate data or escalate site control
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Burst Statistics plugin installed and activated at versions 3.4.0 through 3.4.1.1, and that the attacker knows (or can enumerate) a valid administrator username on the site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical) is consistent with the description: network-reachable, no privileges, no user interaction, with full impact on confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an administrator username on a target WordPress site through standard enumeration (REST API `/wp-json/wp/v2/users`, author archives, or login error messages), then sends a single HTTP request to a Burst Statistics MainWP proxy endpoint with an Authorization header containing `Basic base64(admin:anyrandomstring)`. Because `is_mainwp_authenticated()` returns a success-equivalent value regardless of password correctness, the plugin treats the request as coming from that administrator and the attacker performs administrator-level actions for the duration of the request, such as exfiltrating analytics data or chaining into broader site compromise. …
Remediation No vendor-released fixed version is enumerated in the provided data, so administrators should upgrade Burst Statistics to the latest release published after 3.4.1.1 via the WordPress plugin dashboard and confirm the fix against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3?source=cve and the upstream repository at https://github.com/Burst-Statistics/burst-statistics. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 Hours: Identify all WordPress instances running Burst Statistics 3.4.0-3.4.1.1 and immediately disable the plugin; implement emergency network restrictions on WordPress admin interfaces if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-8181 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy