200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin
A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin, CVE-2026-8181, allows unauthenticated attackers to take over admin accounts on over 200,000 sites.
A critical authentication bypass vulnerability, tracked as CVE-2026-8181 with a CVSS score of 9.8, has been discovered in the Burst Statistics WordPress plugin, putting over 200,000 active installations at risk of full admin account takeover. The flaw, found by Wordfence's autonomous vulnerability research platform PRISM on May 8, 2026, allows unauthenticated attackers who know a valid administrator username to impersonate that admin during REST API requests by supplying any arbitrary password in a Basic Authentication header.
The vulnerability resides in the `is_mainwp_authenticated()` function within the plugin's MainWP integration. When a request includes the `X-BurstMainWP: 1` header, the function decodes Basic Authentication credentials from the Authorization header and passes them to WordPress core's `wp_authenticate_application_password()`. The critical flaw is that the function treats any non-WP_Error return as successful authentication. However, WordPress core may return `null` when Application Passwords are not in use or the request is not considered an API request, causing the plugin's guard to silently pass without actual password validation.
An attacker can exploit this by sending a REST API request with the `X-BurstMainWP: 1` header and a Basic Authentication header containing a known administrator username and any arbitrary password. This allows them to impersonate the admin for the duration of the request, including access to WordPress core endpoints like `/wp-json/wp/v2/users`. In a worst-case scenario, the attacker could create a new administrator-level account, achieving full site takeover.
The vulnerability affects Burst Statistics versions 3.4.0 through 3.4.1.1. The vendor released a patched version 3.4.2 on May 12, 2026, just one day after receiving full disclosure details from Wordfence. Wordfence Premium, Care, and Response users received a firewall rule on May 8, 2026, while free users will get protection on June 7, 2026.
Given the critical severity and ease of exploitation, this vulnerability is expected to be actively targeted. Administrators are urged to update to version 3.4.2 immediately. The rapid discovery and patch cycle—15 days from introduction to discovery and 19 days to patch—highlights the positive impact of AI-driven vulnerability research in reducing the window for attackers.