Burst Statistics WordPress Auth Bypass (CVE-2026-8181)

Summary

CVE-2026-8181 is a critical authentication bypass in the Burst Statistics WordPress analytics plugin (versions 3.4.0 – 3.4.1.1). Incorrect return-value handling in is_mainwp_authenticated() treats invalid application passwords from the Authorization header as successful authentication. Unauthenticated attackers who know an administrator username can impersonate that user for the request duration by supplying any random Basic Authentication password. Indexed on Sploitus with CVSS 9.8.

OFFSITE.DARK did not author the vulnerability; Sploitus is cited as index source.

Technical Details

Aspect	Detail
CVE	CVE-2026-8181
Component	Burst Statistics plugin
Function	is_mainwp_authenticated() in includes/Frontend/class-mainwp-proxy.php
Affected	3.4.0 – 3.4.1.1
Patched	3.4.2
CWE	CWE-287 (Improper Authentication)
Prerequisites	Knowledge of admin username; no valid password required

The MainWP proxy endpoint validates Authorization: Basic credentials but fails to reject invalid application passwords, returning a success path that elevates the request to administrator context.

CVE

Field	Value
CVE	CVE-2026-8181
CVSS	9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Published	2026-05-14
Sploitus date	2026-06-25
Source CNA	Wordfence

Impact

Privilege escalation to administrator for the duration of a crafted request enables plugin settings changes, user creation, theme/plugin installation, and full site compromise when chained with other admin-only actions.

Mitigation

1. Upgrade Burst Statistics to 3.4.2+ immediately.
2. Deactivate the plugin until patched if updates are blocked.
3. Rotate administrator passwords and WordPress security salts after suspected exploitation.
4. Restrict access to MainWP proxy endpoints at the web server where not required.
5. Audit admin activity logs for anomalous API calls following Basic Auth headers without prior login sessions.

Sources

• Sploitus — CVE-2026-8181 (index reference)
• NVD — CVE-2026-8181