On May 8, 2026, PRISM, Wordfence Threat Intelligence's autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations.
This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, enabling actions such as creating new administrator accounts with no prior authentication whatsoever.
Vulnerability Details
- CVE ID: CVE-2026–8181
- CVSS Score: 9.8 (Critical)
- Vulnerability Type: Authentication Bypass to Admin Account Takeover
- Affected Versions: 3.4.0–3.4.1.1
- Patched Version: 3.4.2
- Active Installations: 200,000+
The Burst Statistics plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header.
The critical flaw lies in treating any non-WP_Error return from `wp_authenticate_application_password()` as successful authentication. WordPress core does not guarantee that this function returns a WP_Error on authentication failure it may return the original `$input_user` unchanged, including null, when Application Passwords are not in use. Because null is not a WP_Error, the plugin's guard silently passes even though no password validation occurred.
This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password, achieving privilege escalation.
An attacker who knows a single valid admin username can send a single HTTP request with a fake password to any REST endpoint, such as POST /wp-json/wp/v2/users, and create a new administrator account with no real credentials.
Researcher Credit
The vulnerability was discovered by PRISM, Wordfence Threat Intelligence's autonomous vulnerability research platform.
Wordfence Protection
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later, on June 7, 2026.
Full Report
Read the full disclosure on the Wordfence Blog: