cbcvebase.
CVE-2026-8181
published 2026-05-14

CVE-2026-8181: The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.61%
96.2th percentile
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Affected

1 ranges
VendorProductVersion rangeFixed in
burstbvburst_statistics_privacy-friendly_wordpress_analytics3.4.0 – 3.4.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/wp/v2/users
url/wp-json/wp/v2/users/me?context=edit
path/wp-content/plugins/burst-statistics/
path/wp-content/plugins/burst-statistics/readme.txt
otherX-BURSTMAINWP: 1
commandAuthorization: Basic {{base64(admin_user + ':x')}}
  • Flag unauthenticated GET requests to /wp-json/wp/v2/users (user enumeration step) followed shortly by requests to /wp-json/wp/v2/users/me?context=edit with X-BURSTMAINWP header from the same source IP — this two-step pattern is the full exploit chain.
  • Alert on successful (HTTP 200) responses to /wp-json/wp/v2/users/me?context=edit that contain 'administrator' in the JSON body when the request carries a Basic Auth header with an obviously invalid/single-character password (e.g., ':x').
  • Monitor for new administrator-level account creation via WordPress REST API (POST /wp-json/wp/v2/users) originating from unauthenticated sessions on sites running burst-statistics plugin versions 3.4.0–3.4.1.1.
  • Check installed plugin version via readme.txt: Stable tag values between 3.4.0 and 3.4.1.1 inclusive indicate a vulnerable installation requiring immediate patching to 3.4.2 or later.
  • ·The vulnerability only affects Burst Statistics plugin versions 3.4.0 through 3.4.1.1; version 3.4.2 (released May 12, 2026) contains the fix. Detection rules should scope to this version range to avoid false positives on patched sites.
  • ·Exploitation requires knowledge of a valid administrator username, which may be obtained via /wp-json/wp/v2/users enumeration, blog post author fields, or comments — attacker recon activity against these endpoints should be correlated with subsequent exploit attempts.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.