🔐 CVE Alert

CVE-2026-8181

CRITICAL 9.8

Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

CWE CWE-287
Vendor burstbv
Product burst statistics – privacy-friendly wordpress analytics (google analytics alternative)
Published May 14, 2026
Stay Ahead of the Next One

Get instant alerts for burstbv burst statistics – privacy-friendly wordpress analytics (google analytics alternative)

Be the first to know when new critical vulnerabilities affecting burstbv burst statistics – privacy-friendly wordpress analytics (google analytics alternative) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

burstbv / Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)
3.4.0 ≤ 3.4.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L336 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L336 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L328 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L328 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Frontend/class-mainwp-proxy.php#L314 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Frontend/class-mainwp-proxy.php#L314 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/includes/Traits/trait-admin-helper.php#L205 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/burst-statistics/tags/3.4.1.1/includes/Traits/trait-admin-helper.php#L205 github.com: https://github.com/Burst-Statistics/burst-statistics/blob/2488d3fa54045e7e5342b0445b9f6b5eaac9ea7c/includes/Frontend/class-mainwp-proxy.php#L385

Credits

Chloe Chamberland PRISM