← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-8181 · CWE-287 · Disclosed 2026-05-14

The Burst Statistics – Privacy-Friendly WordPress Analytics

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a front-door lock that treats any random key as valid if you say the homeowner’s name

CVE-2026-8181 is an authentication bypass in the Burst Statistics WordPress plugin affecting versions 3.4.0 through 3.4.1.1, fixed in 3.4.2. The flaw sits in the plugin’s MainWP-related REST authentication path: if a request carries the X-BurstMainWP: 1 header and a Basic Auth username for a valid admin, the plugin can treat a failed application-password check as success and call wp_set_current_user() for that administrator for the life of the request.

The vendor’s 9.8 CRITICAL rating is basically fair here. Yes, the reachable population is narrowed to sites running this specific plugin, but once that condition is true the rest of the chain is thin: attacker position is unauthenticated remote, there is no user interaction, the only meaningful prerequisite is knowing an admin username, and real-world WordPress deployments often leak or guess that easily enough. Add active exploitation telemetry and this stays in the top bucket.

"Internet-reachable admin takeover on a 200k-install WordPress plugin, with live attack traffic already showing up."
02 · The Attack Path

5 steps from start to impact.

STEP 01

Find a public WordPress site running Burst Statistics

The attacker fingerprints a public WordPress site, then confirms the burst-statistics plugin and version by reading exposed plugin metadata, changelogs, asset paths, or scanner fingerprints. Tenable and other scanners treat this as largely version-based detection because the bug is tied to a narrow plugin release band rather than a generic WordPress core condition.
Conditions required:
  • Target WordPress site is internet reachable
  • Burst Statistics plugin is installed and active
  • Installed version is between 3.4.0 and 3.4.1.1
Where this breaks in practice:
  • Only sites with this plugin are affected
  • Some operators hide plugin metadata or block passive fingerprinting
  • Version disclosure can be incomplete on hardened sites
Detection/coverage: External scanners can usually identify the plugin and vulnerable version, but coverage is mostly version-based, not exploit-based.
STEP 02

Enumerate one administrator username

The exploit needs a valid administrator username because the plugin later resolves that login and sets the current user to it. In WordPress, admin usernames are often recoverable via author archives, REST API user exposure, XML/RSS metadata, login error behavior, or simple guessing of common admin handles.
Conditions required:
  • At least one administrator account exists
  • Attacker can discover or guess a valid admin login name
Where this breaks in practice:
  • Some sites restrict user enumeration through REST or author pages
  • Randomized admin usernames slow opportunistic spray-and-pray abuse
Detection/coverage: Look for bursts of requests probing /wp-json/, author pages, and login flows tied to username discovery.
STEP 03

Send a forged MainWP-style REST request

The attacker sends a request with X-BurstMainWP: 1 plus an Authorization: Basic ... header containing the valid admin username and any arbitrary password. Burst’s MainWP proxy path invokes wp_authenticate_application_password() but only rejects WP_Error; a null return can slip through as if auth succeeded.
Conditions required:
  • Target is processing REST requests
  • Burst Statistics vulnerable code path is present
  • Attacker can set custom headers
Where this breaks in practice:
  • Some WAFs or reverse proxies may block unusual auth/header combinations
  • Custom edge filtering can drop X-BurstMainWP requests from the internet
Detection/coverage: High-signal IOC: requests to /wp-json/ carrying both X-BurstMainWP: 1 and a Basic Auth header from untrusted IPs.
STEP 04

Impersonate the administrator for that request

Once the plugin accepts the forged request, it resolves the supplied username and calls wp_set_current_user() with that admin’s ID. At that point WordPress capability checks see a fully authenticated admin, even on core REST routes unrelated to Burst.
Conditions required:
  • Supplied username maps to a real admin user
  • Plugin code reaches the vulnerable wp_set_current_user() call
Where this breaks in practice:
  • If the username is valid but not an admin with required capability, impact drops
  • A patched plugin or properly scoped auth check kills the chain immediately
Detection/coverage: Application logs may show privileged REST actions without a preceding legitimate login or valid application-password use.
STEP 05

Create a rogue admin or perform admin actions

With transient admin context established, the attacker can hit core endpoints such as POST /wp-json/wp/v2/users to create a new administrator account, or perform other administrative actions allowed through REST. This converts a one-request impersonation bug into durable site takeover.
Conditions required:
  • Target permits the relevant REST admin action
  • WordPress user-creation or equivalent privileged capability is available
Where this breaks in practice:
  • Some sites limit REST user creation or use additional hardening around admin APIs
  • Monitoring that alerts on new admin creation can catch the follow-on action
Detection/coverage: Detect POST /wp-json/wp/v2/users, unexpected admin account creation, and plugin/theme installation events from previously unseen IPs.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusYes, exploitation evidence exists. Wordfence reported attack traffic soon after disclosure, and BleepingComputer cited 7,400+ blocked attacks in a 24-hour window. Later Wordfence community telemetry referenced 88,000+ blocked requests across 376 sites between 2026-05-13 and 2026-05-21.
PoC availabilityAvailable enough for copycats. Wordfence says it validated a proof of concept on 2026-05-08; Tenable marks exploit availability as true; public third-party PoC/lab material is indexed by Sploitus.
EPSSEPSS supplied in your intel is 0.04729 (~4.7% next-30-day probability). That is not huge in absolute terms, but for a fresh WordPress auth bypass with observed attack traffic, telemetry matters more than EPSS here.
KEV statusNot listed in the CISA KEV catalog as of this assessment, despite public exploitation reporting.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is directionally right: unauthenticated remote, low complexity, no user interaction, and full admin-level impact. The only meaningful real-world downward pressure is population scope: only sites running this plugin are affected.
Affected versions3.4.0 through 3.4.1.1. Wordfence ties introduction to the MainWP/application-password changes added in the 3.4.0 line.
Fixed versionsUpgrade to 3.4.2 or later. WordPress.org changelog shows the security fix landing on 2026-05-12; later 3.4.3 and 3.5.0 remain beyond the vulnerable band. No distro backport channel is relevant here; this is a WordPress plugin update.
Exposure and install baseWordPress.org lists 200,000+ active installations. That is a big enough internet population for opportunistic scanning, even though it is much smaller than core WordPress or ultra-common plugins.
Scanner and detection coverageTenable ships a version-based web-app check (plugin 115244) and notes it relies on self-reported versioning rather than safe exploitation. Network detection should key on X-BurstMainWP: 1 plus Basic Auth on /wp-json/.
Disclosure and researchersWordfence says PRISM discovered it on 2026-05-08, vendor acknowledgement happened 2026-05-11, patch released 2026-05-12, Wordfence public advisory 2026-05-13, and NVD published the CVE on 2026-05-14. Credited researchers: Chloe Chamberland and PRISM.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to CRITICAL (9.7/10)

The decisive factor is that this is still unauthenticated remote admin takeover with no prior foothold, and the remaining prerequisite—knowing an admin username—is usually a speed bump, not a wall, on public WordPress estates. Active exploitation evidence removes any comfort you might take from the plugin-specific exposure population.

HIGH Technical impact and exploit chain
HIGH Affected version range and fixed version
MEDIUM Scale of in-the-wild exploitation beyond Wordfence-visible telemetry

Why this verdict

  • Baseline stays high: vendor 9.8 starts from the right place because attacker position is *unauthenticated remote* and successful exploitation yields effective administrator control.
  • Prerequisite audit only trims a little: the main narrowing factor is install base—only sites running Burst Statistics 3.4.03.4.1.1 are exposed—so this is not a universal WordPress emergency.
  • Username knowledge is weak friction: needing one valid admin username sounds meaningful on paper, but in practice WordPress usernames are often enumerable or guessable, especially on public marketing sites and small agency-managed estates.
  • No prior compromise stage required: there is no internal-network, authenticated-user, or privileged-role prerequisite. That keeps this out of the 'post-initial-access' bucket and prevents a downgrade.
  • Modern controls may help but are uneven: a tuned WAF can block the header/auth pattern, and Wordfence users got protection early, but many sites will not have those controls deployed or tuned before scanning starts.
  • Exploitation evidence is the amplifier: public reporting of live attack traffic means this has moved from theoretical bug to operational takeover path.

Why not higher?

There is some real-world narrowing: only sites running a specific plugin release line are affected, and exploitation still needs a valid admin username. This is not the kind of ubiquitous infrastructure bug that instantly lights up every edge scanner on the internet. 9.7 instead of a hard 10 reflects that bounded population.

Why not lower?

A downgrade would require meaningful chain friction such as authentication, internal-only reachability, unusual configuration, or a requirement for an already-compromised user role. None of that applies here. If the plugin is present and vulnerable, this is an internet-reachable path to admin takeover with observed abuse.

05 · Compensating Control

What to do — in priority order.

  1. Block X-BurstMainWP from the public internet — At the WAF, reverse proxy, or web server layer, deny requests carrying X-BurstMainWP: 1 unless they originate from explicitly trusted management infrastructure. Because exploitation evidence exists, deploy this immediately, within hours as a temporary barrier while patching catches up.
  2. Patch Burst Statistics to 3.4.2+ — This is the actual fix for the broken auth logic. For actively exploited internet-facing sites, do it immediately, within hours; for the broader fleet, this still falls under the noisgate remediation SLA of ≤90 days because the verdict remains CRITICAL.
  3. Disable the plugin where unused — If a site does not need Burst Statistics, deactivating and removing it collapses the attack surface faster than waiting on normal change windows. Because attackers are already probing, unused instances should be disabled within hours.
  4. Alert on REST user creation — Instrument web, WordPress, and SIEM telemetry for POST /wp-json/wp/v2/users, unexpected administrator creation, and admin actions from previously unseen source IPs. Stand this up within hours for exposed sites because post-exploit persistence is typically a rogue admin account.
  5. Constrain WordPress user enumeration — Reduce easy admin-username harvesting by limiting public REST user exposure and author enumeration where business impact allows. This is a secondary control, not the fix, but it raises attacker cost and should be applied within hours on externally exposed sites if patching will lag.
What doesn't work
  • Relying on MFA for wp-admin logins does not stop this path, because the exploit forges authenticated REST context before any normal interactive login flow.
  • Hiding /wp-admin/ or changing the login URL does not materially help; the exploit targets REST endpoints, not the browser login page.
  • Generic EDR on the web server may miss the initial compromise because the first durable artifact is often just a newly created WordPress admin user, not malware execution.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host or inside the container/VM that holds the site files. Invoke it as bash check-burst-cve-2026-8181.sh /var/www/html/wp-content/plugins/burst-statistics; it needs only read access to the plugin directory, not root, and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-burst-cve-2026-8181.sh
# Detects whether the local Burst Statistics WordPress plugin version is affected by CVE-2026-8181.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / unable to determine

set -u

PLUGIN_DIR="${1:-}"

if [[ -z "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wp-content/plugins/burst-statistics"
  exit 2
fi

if [[ ! -d "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - directory not found: $PLUGIN_DIR"
  exit 2
fi

PLUGIN_FILE=""
for f in "$PLUGIN_DIR"/burst-statistics.php "$PLUGIN_DIR"/*.php; do
  if [[ -f "$f" ]]; then
    if grep -qiE '^\s*Plugin Name:\s*Burst Statistics' "$f" 2>/dev/null; then
      PLUGIN_FILE="$f"
      break
    fi
  fi
done

if [[ -z "$PLUGIN_FILE" ]]; then
  # Fall back to the canonical file name even if the header is missing.
  if [[ -f "$PLUGIN_DIR/burst-statistics.php" ]]; then
    PLUGIN_FILE="$PLUGIN_DIR/burst-statistics.php"
  else
    echo "UNKNOWN - could not locate plugin main file"
    exit 2
  fi
fi

VERSION=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^\s*Version:/ {gsub(/\r/,"",$2); print $2; exit}' "$PLUGIN_FILE")

if [[ -z "$VERSION" && -f "$PLUGIN_DIR/readme.txt" ]]; then
  VERSION=$(awk -F': ' 'BEGIN{IGNORECASE=1} /^\s*Stable tag:/ {gsub(/\r/,"",$2); print $2; exit}' "$PLUGIN_DIR/readme.txt")
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - version not found in plugin headers or readme"
  exit 2
fi

verlte() {
  [[ "$1" == "$2" ]] && return 0
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

verlt() {
  [[ "$1" != "$2" ]] && verlte "$1" "$2"
}

# Vulnerable range: 3.4.0 <= version <= 3.4.1.1
if verlte "3.4.0" "$VERSION" && verlte "$VERSION" "3.4.1.1"; then
  echo "VULNERABLE - Burst Statistics version $VERSION is in affected range 3.4.0-3.4.1.1"
  exit 1
fi

if verlt "$VERSION" "3.4.0" || verlt "3.4.1.1" "$VERSION"; then
  echo "PATCHED - Burst Statistics version $VERSION is outside affected range"
  exit 0
fi

echo "UNKNOWN - parsed version '$VERSION' could not be classified"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: treat every internet-facing WordPress site with Burst Statistics as suspect, identify all instances, and either block public X-BurstMainWP requests or disable the plugin immediately, within hours because exploitation evidence exists and overrides the normal noisgate mitigation SLA. Then complete the real fix—upgrade every affected instance to 3.4.2+—on the same emergency track for exposed sites, while documenting the fleet-wide closeout under the noisgate remediation SLA of ≤90 days for CRITICAL issues; also hunt now for rogue admin creation and privileged REST activity since 2026-05-13.

Sources

  1. Wordfence technical advisory
  2. Wordfence vulnerability database entry
  3. WordPress.org plugin page and changelog
  4. NVD record
  5. BleepingComputer exploitation report
  6. CISA Known Exploited Vulnerabilities catalog
  7. FIRST EPSS API documentation
  8. Tenable web-app plugin 115244
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.