PT-2026-40880 · WordPress · Burst Statistics
Chloe Chamberland
+1
·
Published
2026-05-14
·
Updated
2026-06-08
·
CVE-2026-8181
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Burst Statistics versions 3.4.0 through 3.4.1.1
Description
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress contains an authentication bypass flaw. The issue stems from incorrect return-value handling in the
is mainwp authenticated() function when validating application passwords from the Authorization header. This allows an unauthenticated attacker who knows an administrator username to impersonate that administrator for the duration of a request by providing any random Basic Authentication password, leading to privilege escalation and full site takeover. Over 200,000 sites are estimated to be affected worldwide, with more than 7,400 attacks recorded within 24 hours of disclosure.Recommendations
Update Burst Statistics to version 3.4.2.
Audit administrator accounts for any unrecognized users created during the period of exposure.
Enable automatic updates for plugins to reduce the window of exposure for future issues.
Fix
LPE
RCE
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Burst Statistics