Critical Vulnerability in WordPress Plugin Exposes Over 200,000 Websites
A significant security flaw in a widely utilised WordPress plugin has rendered over 200,000 websites vulnerable to complete account takeover, igniting profound concerns within the cybersecurity landscape.
This vulnerability, identified on May 8, 2026, by Wordfence’s advanced AI-driven PRISM threat intelligence platform, pertains to the Burst Statistics plugin, an analytics tool emphasising privacy.
Numbered as CVE-2026-8181 and assigned a CVSS score of 9.8, this flaw allows unauthorised attackers to circumvent authentication measures and impersonate administrator accounts.
The issue affects versions ranging from 3.4.0 to 3.4.1.1 and was first introduced on April 23, 2026.
Remarkably, this vulnerability was detected within a mere 15 days, and a patch was released 19 days thereafter, demonstrating the efficacy of AI in decreasing potential exploitation timelines.
WordPress Plugin Authentication Bypass Vulnerability
The origin of this vulnerability lies in inadequate validation practices in the plugin’s MainWP integration, particularly in the is_mainwp_authenticated() function.
This function handles authentication requests via the HTTP Authorisation header but falters by failing to authenticate the validity of the credentials provided.
Due to insecure return-value handling, any non-error response from WordPress’s wp_authenticate_application_password() function is mistakenly interpreted as successful authentication.
In specific instances, when authentication fails, this function may return null instead of signalling an error, thereby allowing malicious requests to infiltrate without scrutiny.
An assailant can exploit this weakness by issuing a crafted REST API request containing a legitimate administrator username along with any arbitrary password encoded in a Basic Authentication header.
The plugin subsequently establishes the current user context to the intended administrator, effectively bestowing full privileges for the duration of that request.
Successful exploitation facilitates high-privilege actions devoid of prior authentication, such as creating a new administrator account through a single query to the /wp-json/wp/v2/users endpoint—thereby enabling persistent access and complete site compromise.
Since this vulnerability affects all REST API endpoints, attackers can manipulate core WordPress functionalities beyond the confines of the plugin itself, significantly expanding the attack surface.
Remediation and Strategies for Mitigation
In a swift response to the revelation of this vulnerability, the Burst Statistics team undertook immediate action. Wordfence initiated a responsible disclosure on May 8, disseminated comprehensive details by May 11, and the vendor rolled out a patched version (3.4.2) on May 12, 2026.
Users are strongly urged to promptly update to version 3.4.2 or later to mitigate the associated risks.
Wordfence clients utilising Premium, Care, or Response tiers benefited from firewall protection starting May 8, while free users are set to receive similar protections on June 7, 2026.
Security professionals caution that the exploitation’s simplicity and absence of required authentication render this vulnerability particularly enticing for malicious actors.
Administrators are advised to conduct thorough audits of user accounts, scrutinise logs, and ensure immediate implementation of the patch to avert potential compromises.
Source link: Cybersecuritynews.com.
