—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in Burst Statistics plugin of WordPress

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

WordPress plugin Burst Statistics versions 3.4.0 to 3.4.1.1

Overview

A critical vulnerability has been reported in the Burst Statistics plugin for WordPress that could allow a remote attacker to bypass security restrictions on the targeted system.

Target Audience:

WordPress website owners, administrators, developers, and hosting providers using the Burst Statistics plugin.

Risk Assessment:

Very high risk of authentication bypass, privilege escalation, and unauthorized administrative access.

Impact Assessment:

Potential impact on confidentiality, integrity, and availability of the affected system.

Description

Burst Statistics is a privacy-focused analytics plugin for WordPress designed as an alternative to traditional analytics solutions.

A critical vulnerability exists in the Burst Statistics plugin for WordPress due to improper handling of authorization header in the ‘is_mainwp_authenticated()’ function. A remote attacker with knowledge of an administrator username could exploit this vulnerability by supplying any random Basic Authentication password.

Successful exploitation of this vulnerability could allow a remote attacker to impersonate an administrator for the duration of the request and achieve privilege escalation on the targeted system.

Solution

Apply appropriate updates as mentioned:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/burst-statistics/burst-statistics-340-3411-authentication-bypass-to-admin-account-takeover

Vendor Information

Burst Statistics

https://github.com/Burst-Statistics/burst-statistics

References

 

https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/burst-statistics/burst-statistics-340-3411-authentication-bypass-to-admin-account-takeover

https://github.com/advisories/GHSA-qv3x-rrx4-9pmh

CVE Name

CVE-2026-8181

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoMexAACgkQ3jCgcSdc

ys9plg//YvZ9Ev/6OV0Vi5CF2qAWpiRAAEgpcy14ljBvUhLTSbhsHK/cSxBUs+U1

d8f20d+ozxcp4fdA5ddChI5JpDUtnbrxChw0RWv5QWP/bsgaXmpUHe4AAzPW/AT2

TMuB/LSG4OQZTBT5Mpdj5YpsjDMQQjph89tUrAkH0Z/+D5jpgkt6rgNo9KaObZeM

D9otfEEK/BD+vmuCMD92+jWv8nCiVw1J4rL3UDIGLDxMx0DGXnyGq9NtPJPVFzHv

GMIbTGBN25dMjvg03xJp0dAhDoAWa3g0xuAvXSnzPSx6TRJQxU3Hlrnh6HDHcxER

QyyffkwSGlHg+V4UY2T4CUd/q0ltM7XnrGRJI+wys5uh6ZdZ8/hbu1Bj7AGM7jTN

aylWF/qwqvIQKR8nK8XI1QCo2NkJKpmKm9Cq+NXMTA0Ll0Tz8c2KMnXjF9ziNu5i

CEvtKuC7/+lrr6WS3TKK4DksJrGTh/bDy6o7ODW2/7nws+P4sDwwuZBmuNoKJEGe

UrTTIPLCE+O7Qa/VZ0SnUnz/oP3Nf8K9pfrnImEDe4s1OZ8Ef/Bxhl/Al+9giTjK

aCEFOwGvGcPNTcX+ua8aURue2HS6tp7Ms6EiRapCx1oYnmv3XfHOmdepRB+fqulj

Dr3LaTaSkdRPmkCq7J6TnmqpVMI0UU4BzaEgWa4hkDdPakFblxw=

=pl5D

—–END PGP SIGNATURE—–