Security Breach: Critical Vulnerability in WordPress Plugin Exposes Admin Accounts
Cybercriminals are exploiting a severe authentication bypass flaw within the “Burst Statistics” plugin, gaining unauthorized admin-level access to numerous WordPress websites.
Burst Statistics, a plugin designed for privacy-conscious analytics, is utilized on approximately 200,000 WordPress sites and is promoted as a streamlined alternative to Google Analytics.
The vulnerability, identified as CVE-2026-8181, emerged with the release of version 3.4.0 on April 23 and continued to persist in the subsequent version, 3.4.1.
As reported by Wordfence, which detected CVE-2026-8181 on May 8, this flaw permits unauthenticated individuals to impersonate legitimate admin users during REST API transactions, enabling the creation of deceptive admin accounts.
“This vulnerability allows unauthorized attackers who possess a valid administrator username to fully mimic that administrator throughout any REST API request, including essential WordPress core endpoints such as /wp-json/wp/v2/users, simply by submitting an arbitrary and incorrect password via a Basic Authentication header,” Wordfence elaborates.
“In the most dire scenario, an attacker might exploit this vulnerability to establish a new administrator account without requiring any prior authentication.”
The crux of the issue lies in the flawed interpretation of the ‘wp_authenticate_application_password()’ function results, where a ‘WP_Error’ is erroneously regarded as a successful authentication response.
Moreover, researchers indicate that WordPress can return ‘null’ under certain conditions, which is mistakenly recognized as an authenticated request.
This erroneous handling allows the code to execute ‘wp_set_current_user()’ with the username provided by the assailant, thus impersonating the targeted user for the duration of the REST API request.
Admin usernames may be revealed through blog posts, comments, or even public API inquiries; attackers might also employ brute-force tactics to deduce them.
Admin-level access bestows a plethora of dangerous capabilities, enabling intruders to infiltrate private databases, implant backdoors, redirect unsuspecting visitors, disseminate malicious software, generate fictitious admin accounts, and beyond.
While Wordfence cautions that “this vulnerability is likely to be exploited by malicious actors, making immediate updating to the latest version imperative,” their tracker indicates that nefarious activities have already commenced.
The security firm has intervened to block more than 7,400 attacks targeting CVE-2026-8181 in just the past 24 hours, underscoring the severity of the situation.
Burst Statistics users are urged to upgrade to the patched version 3.4.2, which was released on May 12, 2026, or to disable the plugin entirely to mitigate risk.
According to statistics from WordPress.org, Burst Statistics experienced 85,000 downloads post-release of version 3.4.2, suggesting that around 115,000 sites may still be vulnerable to potential admin takeover attacks.
Source link: Bleepingcomputer.com.
