Critical Authentication Bypass in WordPress Burst Statistics Plugin Actively Exploited
A critical authentication bypass vulnerability in the WordPress Burst Statistics plugin (CVE-2026-8181) is being actively exploited, allowing unauthenticated attackers to take over websites by impersonating administrators.
A critical authentication bypass vulnerability, identified as CVE-2026-8181, has been discovered in the popular WordPress plugin "Burst Statistics." This plugin, which boasts over 200,000 active installations, is designed to provide privacy-friendly website analytics as an alternative to Google Analytics. The vulnerability affects versions 3.4.0 through 3.4.1.1 of the plugin.
The flaw allows unauthenticated attackers, provided they know a valid administrator username, to impersonate that administrator. This can lead to a complete takeover of the affected WordPress site. The exploit leverages an incorrect return-value handling within the is_mainwp_authenticated() function when processing application passwords from the Authorization header. By sending a crafted REST API request with the X-BurstMainWP: 1 header and arbitrary Basic Authentication credentials, the plugin incorrectly authenticates the request, setting the current user to the specified administrator.
Exploitation of this vulnerability enables attackers to gain access to administrator-level REST API functionalities. This includes the ability to create new administrator accounts, effectively granting them full control over the website. The vulnerability was publicly disclosed on May 13th, 2026, and the vendor released a patched version, 3.4.2, on the same day. Wordfence began blocking exploit attempts immediately after the disclosure.
Since the public disclosure on May 13th, 2026, Wordfence has reported blocking over 112,800 exploit attempts targeting this vulnerability. Threat actors appear to be actively trying to create new administrator accounts on vulnerable sites. The exploitation attempts were particularly high between May 15th and May 21st, 2026. Wordfence Premium, Care, and Response users received protection via a firewall rule on May 8th, 2026, while free version users will receive the same protection on June 7th, 2026.
Several IP addresses have been identified as the primary sources of these attack attempts, with some originating over 8,300 blocked requests. Indicators of compromise include the creation of new, unknown administrator accounts on affected sites, especially those created on or after May 13th, 2026. Reviewing website user lists and server log files for suspicious activity, particularly requests containing the X-BurstMainWP: 1 header or targeting the /wp-json/wp/v2/users endpoint, is recommended.
Given the critical nature of this vulnerability and the immediate, widespread exploitation observed, website administrators are strongly urged to update the Burst Statistics plugin to version 3.4.2 or later as soon as possible. Failure to do so leaves sites vulnerable to complete takeover by malicious actors. The high CVSS score of 9.8 underscores the severity of this authentication bypass flaw.
This incident highlights the ongoing threat posed by vulnerabilities in widely used WordPress plugins. The rapid exploitation following disclosure emphasizes the need for prompt patching and robust security measures, such as Web Application Firewalls (WAFs), to protect against automated attacks.