CVE-2026-8181
Published: 14 May 2026
Summary
CVE-2026-8181 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
The Burst Statistics plugin for WordPress, versions 3.4.0 through 3.4.1.1, contains an authentication bypass vulnerability (CWE-287) in its MainWP proxy handling. The flaw stems from incorrect return-value handling inside the is_mainwp_authenticated function when it processes Basic Authentication credentials supplied via the Authorization header, allowing any value to be treated as valid for a known administrator username.
An unauthenticated remote attacker who knows an administrator username can supply an arbitrary password in a Basic Auth header to impersonate that administrator for the duration of a single request. This grants full administrative capabilities within the affected plugin context, resulting in privilege escalation with a CVSS 3.1 score of 9.8.
The supplied references point only to the vulnerable code paths in class-mainwp-proxy.php and trait-admin-helper.php; no vendor advisory or patch information is present. The associated EPSS score has remained low and essentially flat.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30242
Vulnerability details
The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the…
more
Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing WordPress plugin enables use of valid admin accounts (T1078) via exploitation of a web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations by requiring correct validation of credentials before granting administrator access, blocking the return-value bypass in is_mainwp_authenticated().
Mandates reliable identification and authentication of users before allowing access, directly countering the flawed Basic Auth handling that permits impersonation with arbitrary passwords.
Requires proper verification and validation of authenticators supplied via the Authorization header, addressing the incorrect return-value logic that accepts any password for known usernames.