LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-8181

CVE-2026-8181 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 14, 2026

Burst Statistics – Privacy-Friendly WordPress Analytics - Authentication Bypass

Published: May 14, 2026Updated: May 14, 2026KEVPoC AvailableRemote Exploitable

Overview

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in is_mainwp_authenticated() function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrator username.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 26.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can impersonate administrators, leading to privilege escalation and full control over the application.

Mitigation

Update to a version later than 3.4.1.1 or the latest available version.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
May 14, 2026

🔴 CVE-2026-8181: Burst Statistics WP plugin (v3.4.0 – 3.4.1.1) suffers CRITICAL auth bypass. Attackers can impersonate admins using any password — immediate removal advised until a fix is released. Details: https://radar.offseq.com/threat/cve-2026-8181-cwe-287-improper-authentication-in-b-c577a44d #OffSeq #WordPress #Vuln

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 14, 2026

🔴 CVE-2026-8181 - Critical (9.8) The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-8181/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
May 14, 2026

🔴 CVE-2026-8181: Burst Statistics WP plugin (v3.4.0 – 3.4.1.1) suffers CRITICAL auth bypass. Attackers can impersonate admins using any password — immediate removal advised until a fix is released. Details: https://radar.offseq.com/threat/cve-2026-8181-cwe-287-improper-authentication-in-b-c577a44d #OffSeq #WordPress #Vuln

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 14, 2026

🔴 CVE-2026-8181 - Critical (9.8) The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-8181/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

Related Resources

Details

CVE ID
CVE-2026-8181
Severity
Critical
CVSS Score
9.8
Type
broken_authentication
Status
rejected
EPSS
26.0%
Social Posts
4

CWE

  • CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

26.0%Probability of exploitation in the next 30 days