VYPR
breachPublished May 14, 2026· Updated May 17, 2026· 1 source

Hackers Exploiting Authentication Bypass in Burst Statistics WordPress Plugin

A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin is being actively exploited to grant attackers full administrative access to approximately 115,000 websites.

Hackers are actively exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin, a privacy-focused analytics tool installed on approximately 200,000 websites. The flaw, identified as CVE-2026-8181, allows unauthenticated attackers to gain full administrative control over affected WordPress sites BleepingComputer.

The vulnerability stems from a flaw in how the plugin handles authentication during REST API requests. Introduced in version 3.4.0 and persisting in 3.4.1, the code incorrectly interprets the results of the wp_authenticate_application_password() function. Specifically, the plugin fails to properly handle WP_Error objects and null returns, mistakenly treating these as successful authentication attempts. By providing an arbitrary password alongside a known administrator's username in a Basic Authentication header, an attacker can impersonate that administrator for the duration of a REST API request BleepingComputer.

The impact of this exploit is severe, as it grants attackers the ability to perform any action available to an administrator. This includes creating new rogue administrator accounts, accessing private databases, planting backdoors, redirecting website traffic, and distributing malware. Because administrator usernames can often be discovered through public blog posts, comments, or API requests, the barrier to entry for attackers is relatively low BleepingComputer.

Security researchers at Wordfence discovered the flaw on May 8 and have since observed significant malicious activity. In a single 24-hour period, the firm reported blocking over 7,400 attacks targeting this vulnerability, confirming that threat actors are actively scanning for and exploiting exposed sites BleepingComputer.

To mitigate the risk, site administrators are urged to update to version 3.4.2, which was released on May 12, 2026, to address the flaw. While approximately 85,000 downloads of the patched version have been recorded, it is estimated that roughly 115,000 sites remain vulnerable. If an immediate update is not possible, administrators are advised to disable the plugin entirely until they can apply the patch BleepingComputer.

This incident highlights the ongoing risks associated with third-party WordPress plugins, where minor coding errors in authentication logic can lead to complete site compromise. As attackers continue to automate the exploitation of such vulnerabilities, maintaining a rigorous patching schedule for all installed plugins remains a critical component of WordPress security. Users should monitor their site logs for unauthorized REST API activity and ensure that administrative accounts are secured with strong, unique credentials BleepingComputer.

Synthesized by Vypr AI
Hackers Exploiting Authentication Bypass in Burst Statistics WordPress Plugin · VYPR