Description
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: 14.6% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a flaw in the is_mainwp_authenticated() function where the return value of the password validation is incorrectly interpreted, representing a CWE-287 (Authentication Bypass) weakness. An attacker who knows an administrator’s username can send any Basic Authentication password in the Authorization header. The plugin mistakenly accepts the request and treats the attacker as the admin for the request’s duration, allowing full administrative privileges without legitimate credentials. This permits the attacker to perform any action that a site owner can, effectively enabling a temporary admin takeover.

Affected Systems

The vulnerability affects WordPress sites running the Burst Statistics – Privacy-Friendly WordPress Analytics plugin, specifically versions 3.4.0 through 3.4.1.1. Any installation of these plugin versions is exposed.

Risk and Exploitability

Based on the information, the vulnerability appears to be exploitable over the network via HTTP requests with a forged Authorization header to the plugin’s endpoint. The CVSS score of 9.8 indicates a Critical severity, and the EPSS score of 15% indicates a moderate-to-high probability of exploitation. The vulnerability is not yet listed in the CISA KEV catalog, so no publicly documented exploits are known. Attackers only need network access to the site and knowledge of an administrator’s username; any Basic Authentication password will be accepted by the flawed logic, allowing the attacker to impersonate the administrator for the duration of the request.

Generated by OpenCVE AI on June 24, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Burst Statistics plugin to a version that removes the authentication bypass flaw
  • If immediate upgrade is not possible, restrict access to the plugin’s API endpoints with firewall rules or IP whitelisting so that only trusted clients can reach them
  • Enable comprehensive logging of authentication attempts and monitor admin account activity for any unauthorized changes

Generated by OpenCVE AI on June 24, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Burstbv
Burstbv burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress
Wordpress wordpress
Vendors & Products Burstbv
Burstbv burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress
Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
Title Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Burstbv Burst Statistics – Privacy-friendly Wordpress Analytics (google Analytics Alternative)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:46:32.299Z

Reserved: 2026-05-08T16:24:21.656Z

Link: CVE-2026-8181

cve-icon Vulnrichment

Updated: 2026-05-14T10:46:27.283Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T06:16:25.990

Modified: 2026-06-17T11:03:35.397

Link: CVE-2026-8181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses