CVE Catalog

CVE-2026-8181

Critical
Published: Translated: NVD NIST

Summary

The Burst Statistics – Privacy-Friendly WordPress Analytics plugin is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. The issue arises from incorrect return-value handling in the `is_mainwp_authenticated()` function, allowing unauthenticated attackers to impersonate an administrator.

Risk Assessment

Attackers with knowledge of an administrator username can gain access to their privileges, posing a serious threat to the security of the system and data.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and to monitor logs for potential unauthorized access attempts.

Original NVD description (English source)

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS