Authentication Bypass Vulnerability in Burst Statistics Plugin for WordPress
CVE-2026-8181
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 14 May 2026
Badges
What is CVE-2026-8181?
The Burst Statistics plugin for WordPress contains a security flaw that allows unauthenticated attackers to exploit incorrect handling of return values in the authentication process. This leads to a vulnerability in the is_mainwp_authenticated() function, enabling attackers who know an administrator's username to impersonate that user during a request by using any arbitrary Basic Authentication password. As a result, this poses a significant threat to the security and integrity of WordPress sites using this plugin, as it can lead to unauthorized access and potential privilege escalation.
Affected Version(s)
Burst Statistics β Privacy-Friendly WordPress Analytics (Google Analytics Alternative) 3.4.0 <= 3.4.1.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved