CVE-2026-8181

Description

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

burstbv / Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)3.4.0 – 3.4.1.1

Exploits & PoCs

nucleiWordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypassby 0x_Akoko

Description

CVSS breakdown

Affected products

Exploits & PoCs

References