CVE-2026-8181
CriticalSummary
The Burst Statistics – Privacy-Friendly WordPress Analytics plugin is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. The issue arises from incorrect return-value handling in the `is_mainwp_authenticated()` function, allowing unauthenticated attackers to impersonate an administrator.
Risk Assessment
Attackers with knowledge of an administrator username can gain access to their privileges, posing a serious threat to the security of the system and data.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and to monitor logs for potential unauthorized access attempts.
Original NVD description (English source)
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

