Critical WordPress Plugin Flaw Enables Authentication Bypass Attacks

A critical authentication bypass vulnerability has been discovered in Burst Statistics, a popular WordPress analytics plugin with over 200,000 active installations, putting hundreds of thousands of websites at risk of full administrator takeover with no valid credentials required.

Discovered on May 8, 2026, by PRISM Wordfence Threat Intelligence’s autonomous AI-powered research platform, the flaw carries a near-perfect CVSS score of 9.8 (Critical) and is tracked as CVE-2026-8181.

The vulnerability affects plugin versions 3.4.0 through 3.4.1.1 and was patched in version 3.4.2, released on May 12, 2026, just one day after the vendor acknowledged the report.

WordPress Plugin Flaw

The vulnerability stems from a flawed return-value check inside the is_mainwp_authenticated() function in includes/Frontend/class-mainwp-proxy.php.

The plugin’s MainWP integration reads attacker-supplied credentials from the Authorization HTTP headers and passes them to WordPress core’s wp_authenticate_application_password() function, but critically, it only checks whether the result is a WP_Error, not whether it’s a valid WP_User object:

php$is_valid = wp_authenticate_application_password( null, $username, $password );
if ( is_wp_error( $is_valid ) ) {
    return false;
}
wp_set_current_user( $user->ID );
return true;

When Application Passwords are not in use, WordPress core returns null instead of a WP_Error on failure.

Because null is not a WP_ErrorThe authentication guard silently passes, and the attacker-supplied admin username is set as the globally authenticated user for the entire REST API request. The fix requires checking $is_valid instanceof WP_User before proceeding.

An attacker who knows a single valid administrator username can exploit this with one HTTP request:

textPOST /wp-json/wp/v2/users HTTP/1.1
Host: target-site.com
X-BurstMainWP: 1
Authorization: Basic <base64(admin:anyfakepassword)>

This request would create a new administrator-level account with zero real credentials.

Affected Versions & Immediate Actions

Key details security teams and site administrators need to know:

• Affected versions: Burst Statistics 3.4.0 – 3.4.1.1
• Patched version: 3.4.2 (released May 12, 2026)
• CVE ID: CVE-2026-8181 | CVSS 9.8 Critical
• Wordfence Premium/Care/Response users received firewall protection on May 8, 2026
• Wordfence Free users will receive firewall protection on June 7, 2026
• Exploitation risk: High, unauthenticated attackers only need a valid admin username

Site owners running Burst Statistics should update to version 3.4.2 immediately. Given the unauthenticated nature of this flaw and the ease of exploitation, Wordfence explicitly warned that active exploitation attempts are expected.

The vulnerability was introduced in the codebase on April 23, 2026, discovered 15 days later, and patched within 19 days, a timeline Wordfence cited as a demonstration of AI-accelerated vulnerability research reducing attacker opportunity windows.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical WordPress Plugin Flaw Enables Authentication Bypass Attacks appeared first on Cyber Security News.