WP-Safety
CVE-2026-8181

Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

criticalImproper Authentication
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
3.4.2
Patched in
1d
Time to patch

Description

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions>=3.4.0 <=3.4.1.1
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected pluginburst-statistics

What Changed in the Fix

Changes introduced in v3.4.2

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.4.1.1
Browse source Download .zip
Patched v3.4.2
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-8181 ## 1. Vulnerability Summary The **Burst Statistics** plugin (versions 3.4.0 to 3.4.1.1) contains an authentication bypass vulnerability in its MainWP integration logic. The function `is_mainwp_authenticated()` (likely hooked into the `determine_current_u…

Show full research plan

Exploitation Research Plan - CVE-2026-8181

1. Vulnerability Summary

The Burst Statistics plugin (versions 3.4.0 to 3.4.1.1) contains an authentication bypass vulnerability in its MainWP integration logic. The function is_mainwp_authenticated() (likely hooked into the determine_current_user filter or a similar authentication flow) fails to correctly validate application passwords provided in the Authorization header.

Specifically, when a Basic authentication header is provided, the function attempts to validate it but handles the return value incorrectly. This allows an unauthenticated attacker who knows a valid administrator's username to bypass authentication by providing a random password. Because this bypass occurs at the authentication layer, the attacker is treated as the specified administrator for the duration of the HTTP request, enabling full administrative access to the WordPress REST API and other protected endpoints.

2. Attack Vector Analysis

  • Endpoint: Any WordPress REST API endpoint, specifically POST /wp-json/wp/v2/users for account takeover.
  • Vulnerable Function: is_mainwp_authenticated() (located in an internal class, potentially Burst\Admin\MainWP\MainWP_Helper or similar - inferred based on namespace usage in provided files).
  • Authentication Header: Authorization: Basic <base64(admin_user:random_password)>.
  • Authentication Level: Unauthenticated.
  • Preconditions: Knowledge of a valid administrator username (usually admin or discoverable via /wp-json/wp/v2/users).

3. Code Flow

  1. Request Initiation: An attacker sends a REST API request to the WordPress site.
  2. Authentication Filter: During the plugins_loaded or init phase, WordPress fires the determine_current_user filters to identify the requester.
  3. Vulnerable Hook: Burst Statistics registers a filter that calls is_mainwp_authenticated().
  4. Header Processing: The function detects an Authorization header. It extracts the username and password.
  5. Logic Failure:
    • The code likely checks if the username exists and has specific capabilities (MainWP related).
    • It then attempts to validate the "application password".
    • Due to "incorrect return-value handling," the function returns the WP_User object or User ID even if the password validation fails or is logically bypassed, effectively telling WordPress: "This user is authenticated."
  6. Privilege Escalation: WordPress sets the global $current_user to the administrator, and the REST API controller allows the request to proceed with full permissions.

4. Nonce Acquisition Strategy

This vulnerability targets the REST API using Basic Authentication.

  • WordPress REST API Authentication: When using the Authorization header (Application Passwords/Basic Auth), WordPress does not require a CSRF nonce (X-WP-Nonce). Nonces are only required for cookie-based authentication.
  • Bypass Confirmation: Since the exploit relies on bypassing the authentication mechanism itself via the header, no nonce is needed for the POST requests.

5. Exploitation Strategy

The goal is to create a new administrator account to achieve permanent site access.

Step 1: Enumerate Administrator Username

If the username is unknown, use the standard WordPress enumeration endpoint.

  • Request: GET /wp-json/wp/v2/users
  • Tool: http_request
  • Expected Result: A JSON list of users. Identify the user with the highest ID or known administrative slug (e.g., admin).

Step 2: Perform Account Takeover (Create New Admin)

Use the bypass to call the user creation endpoint.

  • Method: POST
  • URL: /wp-json/wp/v2/users
  • Headers:
    • Content-Type: application/json
    • Authorization: Basic YWRtaW46YnlwYXNzMTIz (Base64 for admin:bypass123 - assuming admin is the target username)
  • Payload (JSON):
    {
  "username": "exploit_admin",
  "name": "Exploit Admin",
  "email": "exploit@example.com",
  "password": "ComplexPassword123!",
  "roles": ["administrator"]
}
  • Tool: http_request

6. Test Data Setup

  1. Environment: WordPress with Burst Statistics v3.4.1.1 installed and activated.
  2. User: An administrator account with the username admin must exist.
  3. Plugin Config: No specific configuration is required, as the MainWP authentication bridge is typically initialized by default if the MainWP_Child class isn't detected to be conflicting.

7. Expected Results

  • Response Code: 201 Created
  • Response Body: A JSON object representing the newly created exploit_admin user, including "roles": ["administrator"].
  • Failure Scenario: If the bypass fails, the response will be 401 Unauthorized or 403 Forbidden (Restricted to authenticated users).

8. Verification Steps

After the HTTP request, use WP-CLI to verify the state of the database:

  1. Check User Existence: wp user get exploit_admin
  2. Verify Roles: wp user get exploit_admin --field=roles (should return administrator)
  3. Check Login: Verify that the new user can successfully authenticate.

9. Alternative Approaches

If the wp/v2/users endpoint is restricted by other security plugins, try these alternatives using the same Authorization bypass header:

  1. Modify Options: POST /wp-json/wp/v2/settings to change users_can_register to 1 and default_role to administrator.
  2. Plugin Installation: Use the POST /wp-json/wp/v2/plugins endpoint (if available/supported by the specific WP version) to upload a web shell.
  3. Update Admin Password: POST /wp-json/wp/v2/users/<admin_id> with a new password field to hijack the existing account directly.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Burst Statistics plugin (versions 3.4.0 to 3.4.1.1) contains an authentication bypass vulnerability within its MainWP integration logic. Due to incorrect return-value handling in the `is_mainwp_authenticated()` function, an unauthenticated attacker knowing an administrator username can impersonate that user by providing an arbitrary password in a Basic Authentication header.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.1.1/burst.php /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.2/burst.php
--- /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.1.1/burst.php	2026-05-06 09:16:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.2/burst.php	2026-05-12 05:34:20.000000000 +0000
@@ -3,7 +3,7 @@
  * Plugin Name: Burst Statistics - Privacy-Friendly Analytics for WordPress
  * Plugin URI: https://www.wordpress.org/plugins/burst-statistics
  * Description: Get detailed insights into visitors’ behavior with Burst Statistics, the privacy-friendly analytics dashboard.
- * Version: 3.4.1.1
+ * Version: 3.4.2
  * Requires at least: 6.6
  * Requires PHP: 8.0
  * Text Domain: burst-statistics
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.1.1/includes/Admin/Abilities_Api/class-abilities-api.php /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.2/includes/Admin/Abilities_Api/class-abilities-api.php
--- /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.1.1/includes/Admin/Abilities_Api/class-abilities-api.php	2026-04-29 13:41:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/burst-statistics/3.4.2/includes/Admin/Abilities_Api/class-abilities-api.php	2026-05-12 05:34:20.000000000 +0000
@@ -15,14 +15,43 @@
 class Abilities_Api {
 	use Admin_Helper;
 
-	private const ENABLE_OPTION = 'enable_abilities_api';
-	private const CATEGORY_SLUG = 'burst-statistics';
+	private const ENABLE_OPTION     = 'enable_abilities_api';
+	private const CATEGORY_SLUG     = 'burst-statistics';
+	private const CHAT_ABILITY_LIST = [
+		'burst/live-visitors',
+		'burst/live-traffic',
+		'burst/today-summary',
+		'burst/tasks',
+		'burst/tracking-status',
+		'burst/license-notices',
+		'burst/data',
+		'burst/subscriptions-data',
+	];
+
+	/**
+	 * Check whether the Abilities API setting is enabled.
+	 */
+	public static function is_enabled(): bool {
+		return (bool) burst_get_option( self::ENABLE_OPTION, false );
+	}
+
+	/**
+	 * Show the chat enable notice only when the feature can actually be enabled.
+	 */
+	public static function should_show_enable_notice(): bool {
+		return function_exists( 'wp_register_ability' ) && ! self::is_enabled();
+	}
 
 	/**
 	 * Initialize Abilities API integration.
 	 */
 	public function init(): void {
-		if ( function_exists( 'wp_register_ability' ) && (bool) burst_get_option( self::ENABLE_OPTION, false ) ) {
+		if ( self::is_enabled() ) {
+			add_action( 'rest_api_init', [ $this, 'register_chat_rest_routes' ], 9 );
+			add_filter( 'burst_do_action', [ $this, 'handle_ajax_chat_actions' ], 10, 3 );
+		}
+
+		if ( function_exists( 'wp_register_ability' ) && self::is_enabled() ) {
 			add_action( 'wp_abilities_api_categories_init', [ self::class, 'register_category' ] );
 			add_action( 'wp_abilities_api_init', [ self::class, 'register' ] );
 			add_action( 'abilities_api_init', [ self::class, 'register' ] );
@@ -529,7 +590,7 @@
 	public function permission_callback( mixed $input = null ): bool|\WP_Error {
 		unset( $input );
 
-		if ( $this->user_can_view() ) {
+		if ( $this->user_can_manage() ) {
 			return true;
 		}
 ... (truncated)

Exploit Outline

1. Administrator Enumeration: Identify a valid administrator username, typically via the `/wp-json/wp/v2/users` endpoint or common defaults like 'admin'. 2. Authentication Bypass: Construct a request to a privileged REST API endpoint (such as `POST /wp-json/wp/v2/users`). 3. Header Injection: Include an `Authorization` header using Basic authentication: `Authorization: Basic <base64(admin_user:random_password)>`. 4. Execution: Because the plugin fails to correctly validate the provided password against the administrator account within the `is_mainwp_authenticated` flow, WordPress treats the request as being authenticated by the specified administrator for the duration of the execution. 5. Privilege Escalation: The attacker can use this bypassed state to create a new administrator account or modify site settings, achieving full site takeover.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database