A significant security flaw has been identified in a popular WordPress plugin, endangering over 200,000 websites with potential account takeovers. This vulnerability has prompted immediate action within the cybersecurity community.
Discovery and Impact
Uncovered by Wordfence’s PRISM platform on May 8, 2026, the vulnerability affects the Burst Statistics plugin, which is known for its privacy-focused analytics capabilities. The flaw, cataloged as CVE-2026-8181 with a critical CVSS score of 9.8, permits unauthorized users to bypass authentication and impersonate site administrators.
The issue affects plugin versions 3.4.0 through 3.4.1.1, introduced on April 23, 2026. The rapid identification and patching within 19 days underscore the effectiveness of AI in reducing vulnerability exploitation timelines.
Technical Details
The security issue originates from the plugin’s MainWP integration, specifically the is_mainwp_authenticated() function, which inadequately verifies authentication requests processed through the HTTP Authorization header. This faulty handling allows any non-error response from the wp_authenticate_application_password() function to be considered as successful authentication.
In cases where authentication fails, the function may return null instead of an error, letting malicious requests proceed. Attackers can exploit this by crafting REST API requests with a legitimate administrator username and an arbitrary password, effectively gaining administrator privileges temporarily.
This vulnerability impacts all REST API endpoints, allowing attackers to utilize core WordPress features beyond the plugin, considerably widening the attack scope.
Response and Recommendations
Following the vulnerability’s disclosure, the Burst Statistics developers responded swiftly. Wordfence notified them on May 8, with full details shared by May 11, and a patch released by May 12, 2026, in version 3.4.2.
Users are strongly urged to update to version 3.4.2 or later to protect their sites. Wordfence users with Premium, Care, or Response plans received immediate firewall updates, while free users will receive protection by June 7, 2026.
Security experts emphasize the risk due to the exploit’s simplicity and lack of authentication barriers, advising administrators to audit user accounts, monitor logs, and ensure prompt updates to prevent potential breaches.
Stay informed by following us on Google News, LinkedIn, and X for real-time updates.
