Introduction
Over 200,000 WordPress sites running the Burst Statistics plugin became vulnerable to full administrator impersonation through a single unauthenticated HTTP request, with confirmed reports of active exploitation in the wild. The flaw, tracked as CVE-2026-8181 with a CVSS score of 9.8, allows an attacker who knows only a valid admin username to bypass authentication entirely and interact with the WordPress REST API as that administrator.
Burst Statistics is a privacy focused WordPress analytics plugin designed as an alternative to Google Analytics. With over 200,000 active installations, it occupies a meaningful share of the WordPress analytics plugin market. Its integration with the MainWP site management platform, which is central to this vulnerability, makes it relevant to organizations managing fleets of WordPress sites.
Technical Information
The root cause of CVE-2026-8181 is a classic return value mishandling bug in the is_mainwp_authenticated() function within class-mainwp-proxy.php. Burst Statistics includes a proxy integration with the MainWP site management platform that implements a custom HTTP authentication scheme. When an incoming request includes the X-BurstMainWP: 1 header, the plugin delegates authentication to this function.
The function reads the Authorization HTTP header, decodes the Base64 encoded Basic credentials, and splits them into a username and password. The credential extraction logic looks like this:
public function is_mainwp_authenticated(): bool { $auth_header = sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? '' ) ); if ( ! empty( $auth_header ) && stripos( $auth_header, 'basic ' ) === 0 ) { // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode $credentials = base64_decode( substr( $auth_header, 6 ), true ); if ( ! $credentials ) { return false; } $parts = explode( ':', $credentials, 2 ); if ( count( $parts ) !== 2 ) { return false; }
After extracting the username and password, the function passes them to the WordPress core function wp_authenticate_application_password(). Here is where the vulnerability manifests: the plugin treats any non WP_Error return as a successful authentication.
The Null Return Problem
When Application Passwords are not enabled on a WordPress installation (or in certain other edge cases), wp_authenticate_application_password() returns null rather than a WP_Error object. Because null is not a WP_Error, the plugin's check silently passes. The code then calls wp_set_current_user() with the attacker supplied username, setting the globally authenticated WordPress user for the entire duration of the request.
Cross Endpoint Impact
Once wp_set_current_user() executes with an administrator's username, every WordPress capability check for the remainder of that request sees a fully authenticated administrator. This is not limited to Burst Statistics endpoints. The impersonation applies to all REST API routes, including WordPress core endpoints. An attacker can, for example, issue a POST request to /wp-json/wp/v2/users and create a new administrator account for persistent access.
Step by Step Attack Flow
- The attacker identifies a valid administrator username on the target WordPress site. Admin usernames are frequently discoverable through author archive URLs or the WordPress REST API users endpoint.
- The attacker crafts an HTTP request containing two key headers:
X-BurstMainWP: 1andAuthorization: Basic <base64(admin_username:any_random_password)>. - The plugin's
is_mainwp_authenticated()function intercepts the request, extracts the credentials, and passes them towp_authenticate_application_password(). - On sites where Application Passwords are not enabled, the core function returns
null. - The plugin interprets
nullas a non error condition and treats authentication as successful. wp_set_current_user()is called with the attacker supplied admin username, granting full administrator privileges for the request.- The attacker can now call any WordPress REST API endpoint as the impersonated administrator, including creating new admin accounts, modifying content, or installing plugins.
This is classified under CWE-287 (Improper Authentication), which accurately describes the failure to properly validate the authentication outcome before granting access.
Affected Systems and Versions
The vulnerability affects the Burst Statistics plugin for WordPress in the following version range:
- Vulnerable versions: 3.4.0 through 3.4.1.1
- Fixed version: 3.4.2
The vulnerable code was introduced on April 23, 2026, with the release of version 3.4.0. Any WordPress installation running Burst Statistics versions 3.4.0, 3.4.1, or 3.4.1.1 is affected. Sites where Application Passwords are not enabled are particularly susceptible, as this is the condition that causes wp_authenticate_application_password() to return null rather than a WP_Error.
The plugin reports over 200,000 active installations across the WordPress ecosystem.
References
- NVD CVE Record: CVE-2026-8181
- Wordfence Threat Intel Advisory
- Wordfence Blog: 200,000 WordPress Sites at Risk
- SecurityOnline: Burst Statistics Authentication Bypass Exploited
- Burst Statistics Plugin on WordPress.org
- Burst Statistics Changelog
- GitHub: class-mainwp-proxy.php (vulnerable commit)
- WordPress Plugin Trac: class-mainwp-proxy.php (tag 3.4.1.1, line 314)
- WordPress Plugin Trac: class-mainwp-proxy.php (tag 3.4.1.1, line 328)
- WordPress Plugin Trac: class-mainwp-proxy.php (tag 3.4.1.1, line 336)
- WordPress Plugin Trac: trait-admin-helper.php (tag 3.4.1.1, line 205)
- WordPress Plugin Trac: class-mainwp-proxy.php (trunk, line 314)
- WordPress Plugin Trac: class-mainwp-proxy.php (trunk, line 328)
- WordPress Plugin Trac: class-mainwp-proxy.php (trunk, line 336)
- WordPress Plugin Trac: trait-admin-helper.php (trunk, line 205)



