A critical vulnerability in a widely used WordPress plugin has exposed more than 200,000 websites to potential takeover, raising urgent concerns across the security community.
Security researchers at Wordfence, using their AI-driven PRISM platform, have uncovered a severe authentication bypass flaw in the Burst Statistics plugin, a privacy-focused analytics tool.
Tracked as CVE-2026-8181 with a CVSS score of 9.8, the issue allows attackers to gain administrator-level access without valid credentials.
WordPress Plugin Flaw
The vulnerability affects plugin versions 3.4.0 through 3.4.1.1 and was introduced on April 23, 2026. Remarkably, it was discovered just 15 days later and patched within 24 hours of vendor notification, highlighting how AI-assisted research is shrinking vulnerability exposure windows.
At its core, the flaw stems from improper validation of authentication results in the plugin’s MainWP integration. Specifically, the function responsible for verifying credentials fails to correctly handle return values from WordPress’s application password authentication system.
Instead of confirming successful authentication, the plugin mistakenly treats non-error responses, including null values, as valid.
This oversight allows unauthenticated attackers to craft malicious HTTP requests using a known administrator username and any arbitrary password.
By abusing the Authorization header and sending a specially crafted request to WordPress REST API endpoints, attackers can impersonate an administrator for the duration of the request.
In a worst-case scenario, a threat actor could send a request to endpoints such as /wp-json/wp/v2/users and create a new administrator account, effectively gaining persistent control over the website without ever logging in.
The attack does not require brute-force or credential theft; it only requires knowledge of a valid admin username. This significantly lowers the barrier to exploitation and increases the likelihood of mass scanning and automated attacks.
Wordfence acted quickly by deploying firewall rules to premium users on May 8, 2026, the same day the vulnerability was discovered and validated. Free users are expected to receive protection starting June 7, 2026.
The plugin developer responded rapidly after disclosure on May 11, releasing a fully patched version (3.4.2) on May 12, 2026. The fix ensures that only valid authenticated users, specifically instances of authenticated WordPress user objects, are granted access.
Security experts warn that vulnerabilities enabling authentication bypass are especially dangerous because they undermine the core trust model of web applications. In this case, the flaw effectively allowed attackers to become administrators without any legitimate authentication checks.
Website owners using Burst Statistics are strongly urged to update to version 3.4.2 or later immediately. Delayed patching could leave sites exposed to exploitation, data breaches, or complete site compromise.
Given the simplicity of exploitation and the scale of affected installations, this vulnerability is expected to become a prime target for attackers in the coming weeks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
