Cyber Resilience

CVE-2026-8181

Critical

Published: 14 May 2026

Published
14 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1461 96.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8181 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The Burst Statistics plugin for WordPress, versions 3.4.0 through 3.4.1.1, contains an authentication bypass vulnerability (CWE-287) in its MainWP proxy handling. The flaw stems from incorrect return-value handling inside the is_mainwp_authenticated function when it processes Basic Authentication credentials supplied via the Authorization header, allowing any value to be treated as valid for a known administrator username.

An unauthenticated remote attacker who knows an administrator username can supply an arbitrary password in a Basic Auth header to impersonate that administrator for the duration of a single request. This grants full administrative capabilities within the affected plugin context, resulting in privilege escalation with a CVSS 3.1 score of 9.8.

The supplied references point only to the vulnerable code paths in class-mainwp-proxy.php and trait-admin-helper.php; no vendor advisory or patch information is present. The associated EPSS score has remained low and essentially flat.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the…

more

Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Auth bypass in public-facing WordPress plugin enables use of valid admin accounts (T1078) via exploitation of a web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287
CVE-2025-1475Shared CWE-287
CVE-2025-22146Shared CWE-287
CVE-2026-5229Shared CWE-287

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations by requiring correct validation of credentials before granting administrator access, blocking the return-value bypass in is_mainwp_authenticated().

prevent

Mandates reliable identification and authentication of users before allowing access, directly countering the flawed Basic Auth handling that permits impersonation with arbitrary passwords.

prevent

Requires proper verification and validation of authenticators supplied via the Authorization header, addressing the incorrect return-value logic that accepts any password for known usernames.

References