A essential vulnerability in a extensively used WordPress plugin has uncovered over 200,000 web sites to full account takeover, elevating pressing issues throughout the safety group.
Found on Could 8, 2026, by Wordfence’s AI-powered PRISM menace intelligence platform, the flaw impacts the Burst Statistics plugin, a privacy-focused analytics device.
Tracked as CVE-2026-8181 with a CVSS rating of 9.8, the vulnerability permits unauthenticated attackers to bypass authentication and impersonate administrator accounts.
The problem impacts variations 3.4.0 by way of 3.4.1.1 and was launched on April 23, 2026.
Notably, it was recognized inside simply 15 days and patched 19 days later, highlighting how AI-driven vulnerability discovery is shrinking the exploitation window.
WordPress Plugin Auth Bypass Flaw
The vulnerability stems from improper validation within the plugin’s MainWP integration, particularly inside the is_mainwp_authenticated() perform.
This perform processes authentication requests through the HTTP Authorization header however fails to confirm the credentials’ validity.
Because of insecure return-value dealing with, the plugin treats any non-error response from WordPress’s wp_authenticate_application_password() perform as profitable authentication.
In sure circumstances, this perform returns null as a substitute of an error when authentication fails, permitting malicious requests to go by way of unchecked.
An attacker can exploit this flaw by sending a crafted REST API request with a legitimate administrator username and any arbitrary password encoded in a Fundamental Authentication header.
The plugin then units the present consumer context to the focused administrator, successfully granting full privileges during the request.
Profitable exploitation permits attackers to carry out high-privilege actions with out prior authentication.
For instance, a single request to the /wp-json/wp/v2/customers endpoint may create a brand new administrator account, enabling persistent entry and full website compromise.
As a result of the vulnerability impacts all REST API endpoints, attackers can abuse core WordPress performance past the plugin itself, considerably rising the assault floor.
Patch and Mitigation
The Burst Statistics staff responded quickly after disclosure. Wordfence initiated responsible disclosure on Could 8, shared full particulars on Could 11, and the seller launched a patched model (3.4.2) on Could 12, 2026.
Customers are strongly suggested to replace instantly to model 3.4.2 or later to mitigate the chance.
Wordfence clients utilizing Premium, Care, or Response tiers obtained firewall safety on Could 8, whereas free customers are scheduled to obtain the identical safety on June 7, 2026.
Safety consultants warn that the simplicity of exploitation and lack of authentication make this vulnerability extremely enticing to menace actors.
Directors ought to audit consumer accounts, monitor logs, and guarantee instant patching to forestall compromise.
Observe us on Google News, LinkedIn, and X to Get Extra On the spot Updates.