CVE-2026-8181
published 2026-05-14CVE-2026-8181: The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.61%
96.2th percentile
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| burstbv | burst_statistics_privacy-friendly_wordpress_analytics | 3.4.0 – 3.4.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-json/wp/v2/users/me?context=edit
path/wp-content/plugins/burst-statistics/
path/wp-content/plugins/burst-statistics/readme.txt
otherX-BURSTMAINWP: 1
commandAuthorization: Basic {{base64(admin_user + ':x')}}
- →Flag unauthenticated GET requests to /wp-json/wp/v2/users (user enumeration step) followed shortly by requests to /wp-json/wp/v2/users/me?context=edit with X-BURSTMAINWP header from the same source IP — this two-step pattern is the full exploit chain.
- →Alert on successful (HTTP 200) responses to /wp-json/wp/v2/users/me?context=edit that contain 'administrator' in the JSON body when the request carries a Basic Auth header with an obviously invalid/single-character password (e.g., ':x').
- →Monitor for new administrator-level account creation via WordPress REST API (POST /wp-json/wp/v2/users) originating from unauthenticated sessions on sites running burst-statistics plugin versions 3.4.0–3.4.1.1. ↗
- →Check installed plugin version via readme.txt: Stable tag values between 3.4.0 and 3.4.1.1 inclusive indicate a vulnerable installation requiring immediate patching to 3.4.2 or later.
- ·The vulnerability only affects Burst Statistics plugin versions 3.4.0 through 3.4.1.1; version 3.4.2 (released May 12, 2026) contains the fix. Detection rules should scope to this version range to avoid false positives on patched sites. ↗
- ·Exploitation requires knowledge of a valid administrator username, which may be obtained via /wp-json/wp/v2/users enumeration, blog post author fields, or comments — attacker recon activity against these endpoints should be correlated with subsequent exploit attempts. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qv3x-rrx4-9pmh: The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass
ghsa_unreviewed·2026-05-14
CVE-2026-8181 [CRITICAL] CWE-287 GHSA-qv3x-rrx4-9pmh: The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
VulnCheck
burst-statistics burst_statistics Improper Authentication
vulncheck·2026·CVSS 9.8
CVE-2026-8181 [CRITICAL] burst-statistics burst_statistics Improper Authentication
burst-statistics burst_statistics Improper Authentication
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Affected: Burst Statistics B.V. Burst Statistics
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of t
No detection rules found.
Nuclei
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-8181 [CRITICAL] WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in is_mainwp_authenticated() function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrator username.
Template:
id: CVE-2026-8181
info:
name: WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
author: 0x_Akoko
severity: critical
description: |
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in is_mainwp_authenticated() function, letting unauthenticated attackers impersonate administrators, expl
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Bleepingcomputer
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
blogs_bleepingcomputer·2026-05-14·CVSS 9.8
CVE-2026-8181 [CRITICAL] Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
## Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
## Bill Toulas
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.
Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.
The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.
According to Wordfence, which discovered CVE-2026-8181 on May 8, the flaw allows unauthenticated attackers to impersonate known admin users during REST API requests, and even create rogue admin accounts.
“This
https://github.com/Burst-Statistics/burst-statistics/blob/2488d3fa54045e7e5342b0445b9f6b5eaac9ea7c/includes/Frontend/class-mainwp-proxy.php#L385https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L314https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L328https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L336https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Traits/trait-admin-helper.php#L205https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L314https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L328https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L336https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Traits/trait-admin-helper.php#L205https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3?source=cve
2026-05-14
Published
Exploited in the wild