CVE-2026-8181
CRITICAL · 9.8Same-day advisory, vendor triage signals, high-engagement chatter; KEV absence and unconfirmed exploitation metrics hold back full HACK score.
What: Burst Statistics WordPress plugin (versions 3.4.0–3.4.1.1) authentication bypass via incorrect return-value handling in is_mainwp_authenticated(), allowing unauthenticated attackers to impersonate administrators with any Basic Auth password. CVSS 9.8 (CRITICAL).
Why it matters: Published today; affects 200k+ WordPress sites; allows admin impersonation and privilege escalation. Not yet KEV-listed, but high-engagement chatter from DFIR and security vendors signals urgent awareness. Patch (3.4.2) is available; defenders are triaging immediately.
Where it's seen: Breaking advisory chatter across Twitter and Bluesky from DFIR teams, security firms, and vulnerability aggregators. Posts emphasize immediate patching; one vendor flagged "5,000+ attacks blocked," though no public PoC or in-the-wild exploitation confirmed yet.
RISK: CRITICAL — CVSS 9.8, 200k+ sites, unauthenticated admin takeover, patch available.
Description
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Weaknesses
References
- https://github.com/Burst-Statistics/burst-statistics/blob/2488d3fa54045e7e5342b0445b9f6b5eaac9ea7c/includes/Frontend/class-mainwp-proxy.php#L385
- https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L314
- https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L328
- https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L336
- https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Traits/trait-admin-helper.php#L205
- https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L314
- https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L328
- https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L336
- +2 more