Critical WordPress Plugin Flaw Allows Authentication Bypass Attacks

A critical vulnerability in a widely used WordPress plugin has left over 200,000 websites exposed to full account takeover. This severe flaw, recently uncovered, has prompted urgent warnings across the security community.

Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool.

Tracked as CVE-2026-8181 with a CVSS score of 9.8, the vulnerability enables unauthenticated attackers to bypass authentication and impersonate administrator accounts.

The issue impacts versions 3.4.0 through 3.4.1.1 and was introduced on April 23, 2026.

Notably, it was identified within just 15 days and patched 19 days later, highlighting how AI-driven vulnerability discovery is shrinking the exploitation window.

WordPress Plugin Auth Bypass Flaw

The vulnerability stems from improper validation in the plugin’s MainWP integration, specifically within the is_mainwp_authenticated() function.

This function processes authentication requests via the HTTP Authorization header but fails to verify the credentials’ validity.

Due to insecure return-value handling, the plugin treats any non-error response from WordPress’s wp_authenticate_application_password() function as successful authentication.

In certain cases, this function returns null instead of an error when authentication fails, allowing malicious requests to pass through unchecked.

An attacker can exploit this flaw by sending a crafted REST API request with a valid administrator username and any arbitrary password encoded in a Basic Authentication header.

The plugin then sets the current user context to the targeted administrator, effectively granting full privileges for the duration of the request.

Successful exploitation allows attackers to perform high-privilege actions without prior authentication.

For example, a single request to the /wp-json/wp/v2/users endpoint could create a new administrator account, enabling persistent access and complete site compromise.

Because the vulnerability affects all REST API endpoints, attackers can abuse core WordPress functionality beyond the plugin itself, significantly increasing the attack surface.

Patch and Mitigation

The Burst Statistics team responded rapidly after disclosure. Wordfence initiated responsible disclosure on May 8, shared full details on May 11, and the vendor released a patched version (3.4.2) on May 12, 2026.

Users are strongly advised to update immediately to version 3.4.2 or later to mitigate the risk.

Wordfence customers using Premium, Care, or Response tiers received firewall protection on May 8, while free users are scheduled to receive the same protection on June 7, 2026.

Security experts warn that the simplicity of exploitation and lack of authentication make this vulnerability highly attractive to threat actors.

Administrators should audit user accounts, monitor logs, and ensure immediate patching to prevent compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.