Blog Details

Hackers are leveraging a serious authentication bypass vulnerability within the WordPress plugin Burst Statistics to make admin-level gain admission to to websites.

Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a light-weight change to Google Analytics.

The flaw, tracked as CVE-2026-8181, used to be introduced on April 23 with the launch of model 3.4.0 of the plugin. The inclined code used to be additionally inform within the next iteration, model 3.4.1.

In accordance with Wordfence, which found CVE-2026-8181 on Could well well 8, the flaw permits unauthenticated attackers to impersonate identified admin customers within the direction of REST API requests, and even make rogue admin accounts.

“This vulnerability permits unauthenticated attackers who know a sound administrator username to completely impersonate that administrator within the direction of any REST API quiz, including WordPress core endpoints similar to /wp-json/wp/v2/customers, by supplying any arbitrary and incorrect password in a Traditional Authentication header,” explains Wordfence.

“In a worst-case scenario, an attacker could well even exploit this flaw to make a brand contemporary administrator-level account with no prior authentication in anyway.”

The root trigger is the incorrect interpretation of the ‘wp_authenticate_application_password()’ honest outcomes, particularly, treating a ‘WP_Error’ as a designate of successful authentication.

Nonetheless, the researchers display cowl that WordPress can additionally return ‘null’ in some conditions, which is mistakenly treated as an authenticated quiz.

As a result, the code calls ‘wp_set_current_user()’ with the attacker-equipped username, successfully impersonating that person within the direction of the REST API quiz.

Admin usernames will most certainly be exposed in blog posts, feedback, or even in public API requests, but attackers can additionally use brute-power ways to bet them.

Admin-level gain admission to permits attackers to gain admission to deepest databases, plant backdoors, redirect site visitors to unsafe locations, distribute malware, make rogue admin customers, and extra.

While Wordfence warned in its post that they “demand this vulnerability to be focused by attackers and, as such, updating to the most fresh model as soon as possible is serious,” its tracker shows that malicious exercise has already begun.

In accordance with the an identical platform, the obtain draw security firm has blocked over 7,400 attacks focusing on CVE-2026-8181 within the past 24 hours, so the exercise is principal.

Customers of the Burst Statistics plugin are urged to upgrade to the patched launch, model 3.4.2, released on Could well well 12, 2026, or disable the plugin on their draw.

WordPress.org stats display cowl that Burst Statistics had 85,000 downloads for the reason that launch of three.4.2, so assuming that every one were for the most fresh model, there live roughly 115,000 sites exposed to admin takeover attacks.