Threat Advisory

Burst Statistics Plugin Vulnerabilities Expose Administrator Impersonation

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-8181 with a CVSS score of 9.8 is a critical authentication bypass vulnerability affecting the Burst Statistics plugin, a popular analytics plugin with over 200,000 active installations, due to its integration with the MainWP site management platform. The bug resides in the is_mainwp_authenticated() function, which silently passes when the wp_authenticate_application_password() function returns null instead of a WP_Error, allowing an attacker to fully impersonate an administrator user for the duration of a request by supplying any arbitrary and incorrect password in a Basic Authentication header. Once authenticated, the attacker can exploit this flaw to create a new administrator-level account with no prior authentication whatsoever by sending a single request to the WordPress core users endpoint, gaining elevated privileges and potentially leading to unauthorized data access, manipulation, or deletion.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-8181 with a CVSS score of 9.8 is a critical authentication bypass vulnerability affecting the Burst Statistics plugin, a popular analytics plugin with over 200,000 active installations, due to its integration with the MainWP site management platform. The bug resides in the is_mainwp_authenticated() function, which silently passes when the wp_authenticate_application_password() function returns null instead of a WP_Error, allowing an attacker to fully impersonate an administrator user for the duration of a request by supplying any arbitrary and incorrect password in a Basic Authentication header. Once authenticated, the attacker can exploit this flaw to create a new administrator-level account with no prior authentication whatsoever by sending a single request to the WordPress core users endpoint, gaining elevated privileges and potentially leading to unauthorized data access, manipulation, or deletion.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update Burst Statistics to version 3.4.2 or later.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/burst-statistics-authentication-bypass-cve-2026-8181-exploited/

[/emaillocker]
crossmenu