WordPress Plugin Vulnerabilities

Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

Description

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Affects Plugins

Plugin icon
burst-statistics
Fixed in 3.4.2

References

CVE
CVE-2026-8181
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Chloe Chamberland, PRISM
Verified
No
WPVDB ID
34c08ac9-47dc-4cf1-9e58-44121810f5aa

Timeline

Publicly Published
2026-05-13 (about 18 days ago)
Added
2026-05-15 (about 16 days ago)
Last Updated
2026-05-30 (about 16 hours ago)

Other

Published
Title
Published
2016-10-14
Title
OneLogin SAML SSO <= 2.4.2 - Signature Wrapping
Published
2026-01-28
Title
Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation
Published
2023-04-11
Title
Web Stories < 1.32 - Author+ Auth Bypass
Published
2018-09-10
Title
UserPro <= 4.9.27 - User Registration With Administrator Role
Published
2023-07-18
Title
OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication