Hackers are leveraging a vital authentication bypass vulnerability within the WordPress plugin Burst Statistics to acquire admin-level entry to web sites.
Burst Statistics is a privacy-focused analytics plugin lively on 200,000 WordPress websites and marketed as a light-weight different to Google Analytics.
The flaw, tracked as CVE-2026-8181, was launched on April 23 with the discharge of model 3.4.0 of the plugin. The susceptible code was additionally current within the following iteration, model 3.4.1.
Based on Wordfence, which found CVE-2026-8181 on Could 8, the flaw permits unauthenticated attackers to impersonate identified admin customers throughout REST API requests, and even create rogue admin accounts.
“This vulnerability permits unauthenticated attackers who know a legitimate administrator username to totally impersonate that administrator in the course of any REST API request, together with WordPress core endpoints corresponding to /wp-json/wp/v2/customers, by supplying any arbitrary and incorrect password in a Fundamental Authentication header,” explains Wordfence.
“In a worst-case situation, an attacker might exploit this flaw to create a brand new administrator-level account with no prior authentication in any way.”
The foundation trigger is the inaccurate interpretation of the ‘wp_authenticate_application_password()’ operate outcomes, particularly, treating a ‘WP_Error’ as a sign of profitable authentication.
Nevertheless, the researchers clarify that WordPress may return ‘null’ in some instances, which is mistakenly handled as an authenticated request.
In consequence, the code calls ‘wp_set_current_user()’ with the attacker-supplied username, successfully impersonating that consumer in the course of the REST API request.
Admin usernames could also be uncovered in weblog posts, feedback, and even in public API requests, however attackers may use brute-force methods to guess them.
Admin-level entry permits attackers to entry non-public databases, plant backdoors, redirect guests to unsafe areas, distribute malware, create rogue admin customers, and extra.
Whereas Wordfence warned in its publish that they “anticipate this vulnerability to be focused by attackers and, as such, updating to the newest model as quickly as potential is vital,” its tracker exhibits that malicious exercise has already begun.
Based on the identical platform, the web site security agency has blocked over 7,400 assaults concentrating on CVE-2026-8181 previously 24 hours, so the exercise is important.
Customers of the Burst Statistics plugin are beneficial to improve to the patched launch, model 3.4.2, launched on Could 12, 2026, or disable the plugin on their web site.
WordPress.org stats present that Burst Statistics had 85,000 downloads for the reason that launch of three.4.2, so assuming that each one have been for the newest model, there stay roughly 115,000 websites uncovered to admin takeover assaults.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of latest exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
Declare Your Spot
