Critical severity9.8NVD Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-8181
CVE-2026-8181
Description
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the is_mainwp_authenticated() function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: 3.4.0 to 3.4.1.1
Patches
Vulnerability mechanics
References
10- github.com/Burst-Statistics/burst-statistics/blob/2488d3fa54045e7e5342b0445b9f6b5eaac9ea7c/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Traits/trait-admin-helper.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.phpnvd
- plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Traits/trait-admin-helper.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3nvd
News mentions
4- Attackers Actively Exploiting Critical Vulnerability in Burst Statistics PluginWordfence Blog · Jun 2, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Hackers exploit auth bypass flaw in Burst Statistics WordPress pluginBleepingComputer · May 14, 2026
- 200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics PluginWordfence Blog · May 13, 2026