Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
Summary
| CVE | CVE-2026-8181 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-14 06:16:25 UTC |
| Updated | 2026-05-14 06:16:25 UTC |
| Description | The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-287 | CWE-287 CWE-287 Improper Authentication
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Burstbv | Burst Statistics Privacy-Friendly WordPress Analytics Google Analytics Alternative | affected 3.4.0 3.4.1.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Traits/trait-admin-he... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Traits/trait-a... | [email protected] | plugins.trac.wordpress.org | |
| github.com/Burst-Statistics/burst-statistics/blob/2488d3fa54045e7e5342b0... | [email protected] | github.com | |
| www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class... | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Chloe Chamberland (en)
CNA: PRISM (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-11T14:17:08.000Z | Vendor Notified |
| CNA | 2026-05-13T16:44:16.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.