Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

At a glance:

• Critical authentication bypass in Burst Statistics plugin enables admin takeover.
• CVE-2026-8181 affects versions 3.4.0 and 3.4.1, leaving ~115,000 WordPress sites vulnerable.
• Wordfence has blocked over 7,400 attacks; update to patched version 3.4.2 immediately.

Flaw introduction and discovery

Hackers are actively exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin to gain unauthorized admin-level access to websites. Discovered by security firm Wordfence on May 8, 2026, the flaw is tracked as CVE-2026-8181 and was introduced with the release of version 3.4.0 on April 23, 2026. The vulnerable code also persisted in version 3.4.1, compounding the risk for users who updated during that window.

The vulnerability allows unauthenticated attackers to impersonate known administrator users during REST API requests, even when supplying an incorrect password. In a worst-case scenario, attackers can create new administrator accounts without any prior authentication, effectively seizing control of the affected WordPress site.

Technical root cause and mechanism

The flaw stems from an incorrect interpretation of the WordPress 'wp_authenticate_application_password()' function's results. Specifically, the plugin's code mistakenly treats a 'WP_Error' as an indication of successful authentication. However, WordPress can also return 'null' in certain cases, which the plugin then erroneously interprets as an authenticated request.

As a result, the code calls 'wp_set_current_user()' with the attacker-supplied username, thereby impersonating that user for the duration of the REST API request. This allows attackers to access sensitive endpoints, such as /wp-json/wp/v2/users, and perform actions with administrative privileges.

Exploitation risks and impact

With admin-level access, attackers can wreak havoc on compromised websites. They can access private databases, plant backdoors for persistent access, redirect visitors to malicious sites, distribute malware, and create rogue admin users to maintain control. Admin usernames may be exposed through blog posts, comments, or public API requests, but attackers can also brute-force guess them, lowering the barrier to entry.

Burst Statistics is a privacy-focused analytics plugin active on approximately 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics. However, since the release of the patched version 3.4.2 on May 12, 2026, only 85,000 downloads have occurred via WordPress.org, suggesting that around 115,000 sites remain exposed to potential admin takeover attacks.

Active attacks and mitigation

Wordfence has already observed significant malicious activity targeting CVE-2026-8181, blocking over 7,400 attacks in the past 24 hours alone. The security firm had warned that the vulnerability was likely to be exploited, urging users to update immediately. "As such, updating to the latest version as soon as possible is critical," Wordfence stated in its advisory.

Users of the Burst Statistics plugin are strongly recommended to upgrade to version 3.4.2 or disable the plugin entirely to mitigate the risk. Given the active exploitation, delaying action could result in site compromise, especially for sites that have not yet installed the patch.

Broader context and lessons

This incident highlights ongoing security challenges within the WordPress ecosystem, where third-party plugins can introduce critical vulnerabilities. Similar authentication bypass flaws have been discovered in other popular plugins, underscoring the need for rigorous code audits and timely updates. Site owners should regularly review and update their plugins, prioritize those with strong security practices, and consider implementing additional safeguards like Web Application Firewalls (WAFs).

The rapid exploitation of CVE-2026-8181 also serves as a reminder that even privacy-focused tools are not immune to severe security flaws. As WordPress powers over 40% of the web, vulnerabilities in widely used plugins can have far-reaching consequences, affecting businesses, publishers, and individual site owners alike, potentially leading to data breaches and reputational damage.

Conclusion and ongoing monitoring

With attacks already underway, the window for prevention is narrowing. WordPress administrators must act swiftly to apply the patch or remove the plugin. Security researchers will continue to monitor for further exploitation and may discover additional related issues. In the meantime, maintaining a proactive security posture—through updates, backups, and monitoring—is essential for mitigating such risks and protecting online assets.