PT-2026-40880 · WordPress · Burst Statistics

Chloe Chamberland

+1

·

Published

2026-05-14

·

Updated

2026-06-08

·

CVE-2026-8181

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Burst Statistics versions 3.4.0 through 3.4.1.1
Description The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress contains an authentication bypass flaw. The issue stems from incorrect return-value handling in the is mainwp authenticated() function when validating application passwords from the Authorization header. This allows an unauthenticated attacker who knows an administrator username to impersonate that administrator for the duration of a request by providing any random Basic Authentication password, leading to privilege escalation and full site takeover. Over 200,000 sites are estimated to be affected worldwide, with more than 7,400 attacks recorded within 24 hours of disclosure.
Recommendations Update Burst Statistics to version 3.4.2. Audit administrator accounts for any unrecognized users created during the period of exposure. Enable automatic updates for plugins to reduce the window of exposure for future issues.

Fix

LPE

RCE

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8181

Affected Products

Burst Statistics