Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-8181 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8181 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-8181 is a critical authentication bypass vulnerability in the Burst Statistics plugin for WordPress, a privacy-focused analytics tool, affecting versions 3.4.0 through 3.4.1.1.

Technical Detail

The flaw resides in the is_mainwp_authenticated() function, which incorrectly handles return values when validating application passwords submitted via the HTTP Authorization header. An unauthenticated attacker who knows a valid administrator username can exploit this logic error to bypass authentication entirely and impersonate that administrator for the duration of a session. Successful exploitation grants the attacker full administrative access to the WordPress installation, enabling actions such as content modification, plugin installation, credential harvesting, or complete site takeover.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of the date of this briefing, and active in-the-wild exploitation has not been confirmed. However, the low barrier to exploitation, requiring only knowledge of an administrator username, means the window between PoC availability and active abuse is likely short.

Who Is Targeting This

No specific threat actor attribution at this time. Opportunistic actors targeting WordPress installations broadly are the most probable early exploiters given the ease of exploitation and the wide deployment footprint of analytics plugins across small to mid-sized websites.

What To Do

Update the Burst Statistics plugin to a patched version above 3.4.1.1 immediately. Site administrators should verify the installed version via the WordPress dashboard and apply the update without delay given the critical CVSS score of 9.8 and the availability of a public PoC. If an immediate update is not possible, consider temporarily deactivating the plugin to eliminate the attack surface. Detection efforts should focus on reviewing web server access logs for anomalous requests to plugin endpoints that include Authorization headers paired with known or guessable administrator usernames. Audit WordPress administrator accounts for unauthorized additions or privilege changes as an indicator of prior compromise.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →