Description
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: 4.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Burst Statistics plugin contains a flaw in the is_mainwp_authenticated() function, where the return value of the password validation is incorrectly interpreted. An attacker who knows an administrator’s username can send any Basic Authentication password in the Authorization header. The plugin mistakenly accepts the request and treats the attacker as the admin for the request’s duration, allowing full administrative privileges without legitimate credentials. This gives the attacker the ability to perform any action that a site owner can, effectively enabling a temporary admin takeover.

Affected Systems

The vulnerability affects WordPress sites running the Burst Statistics – Privacy-Friendly WordPress Analytics plugin, specifically versions 3.4.0 through 3.4.1.1. Any installation of these plugin versions is exposed.

Risk and Exploitability

It is inferred that the attack vector is via HTTP requests with a forged Authorization header to the plugin’s endpoint. The flaw carries a CVSS score of 9.8, categorizing it as Critical. The EPSS score is 5%, indicating a moderate probability of exploitation, and it is not currently listed in the CISA KEV catalog, suggesting no publicly documented exploits yet. The attack requires only network access to the site and knowledge of an administrator username, with the password being arbitrary.

Generated by OpenCVE AI on June 3, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Burst Statistics plugin to a version that removes the authentication bypass flaw
  • If immediate upgrade is not possible, restrict access to the plugin’s API endpoints with firewall rules or IP whitelisting so that only trusted clients can reach them
  • Enable comprehensive logging of authentication attempts and monitor admin account activity for any unauthorized changes

Generated by OpenCVE AI on June 3, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Burstbv
Burstbv burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress
Wordpress wordpress
Vendors & Products Burstbv
Burstbv burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress
Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Title Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Burstbv Burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:46:32.299Z

Reserved: 2026-05-08T16:24:21.656Z

Link: CVE-2026-8181

cve-icon Vulnrichment

Updated: 2026-05-14T10:46:27.283Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T06:16:25.990

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-8181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:45:20Z

Weaknesses