Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin Home News Security Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin Bill Toulas May 14, 2026 05:07 PM Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.
The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1. According to Wordfence, which discovered CVE-2026-8181 on May 8, the flaw allows unauthenticated attackers to impersonate known admin users during REST API requests, and even create rogue admin accounts. “This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” explains Wordfence . “In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever.” The root cause is the incorrect interpretation of the ‘wp_authenticate_application_password()’ function results, specifically, treating a ‘WP_Error’ as an indication of successful authentication.
However, the researchers explain that WordPress can also return ‘null’ in some cases, which is mistakenly treated as an authenticated request. As a result, the code calls ‘wp_set_current_user()’ with the attacker-supplied username, effectively impersonating that user for the duration of the REST API request. Admin usernames may be exposed in blog posts, comments, or even in public API requests, but attackers can also use brute-force techniques to guess them.
Admin-level access allows attackers to access private databases, plant backdoors, redirect visitors to unsafe locations, distribute malware, create rogue admin users, and more. While Wordfence warned in its post that they “expect this vulnerability to be targeted by attackers and, as such, updating to the latest version as soon as possible is critical,” its tracker shows that malicious activity has already begun .
According to the same platform, the website security firm has blocked over 7,400 attacks targeting CVE-2026-8181 in the past 24 hours, so the activity is significant. Users of the Burst Statistics plugin are recommended to upgrade to the patched release, version 3.4.2, released on May 12, 2026, or disable the plugin on their site. WordPress.org stats show that Burst Statistics had 85,000 downloads since the release of 3.4.2, so assuming that all were for the latest version, there remain roughly 115,000 sites exposed to admin takeover attacks.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Hackers exploit file upload bug in Breeze Cache WordPress plugin Hackers exploit critical flaw in Ninja Forms WordPress plugin Critical cPanel and WHM bug exploited as a zero-day, PoC now available Critical Nginx UI auth bypass flaw now actively exploited in the wild File read flaw in Smart Slider plugin impacts 500K WordPress sites Actively Exploited Authentication Bypass Plugin Vulnerability WordPress Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories Windows BitLocker zero-day gives access to protected drives, PoC released Dell confirms its SupportAssist software causes Windows BSOD crashes OpenAI confirms security breach in TanStack supply chain attack Sponsor Posts Overdue a password health-check?
Audit your Active Directory for free 12 steps to defend against AI-powered exploits before the Glasswing report drops Are stolen sessions bypassing your security? Find out for free. https://www.nmftacyber.com/ Login Username Password Remember Me Sign in anonymously Sign in with Twitter Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT