CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Authentication bypass in Burst Statistics WordPress plugin enables admin takeover (CVE-2026-8181)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Unpatched installations of the WordPress analytics plugin Burst Statistics (versions 3.4.0 and 3.4.1) are being actively exploited due to a critical authentication bypass flaw, CVE-2026-8181. The vulnerability allows unauthenticated remote attackers to impersonate any privileged WordPress user—including administrators—during REST API requests by supplying an arbitrary password. Successful exploitation can grant full administrative control, enabling site takeover, database access, backdoor deployment, visitor redirection to malicious destinations, malware distribution, and creation of rogue administrator accounts. Admin usernames may be exposed through public content or API endpoints, or guessed via brute-force methods. The issue stems from incorrect handling of authentication results in the ‘wp_authenticate_application_password()’ function, where WP_Error and null values are erroneously treated as authenticated states.

Timeline

  1. 15.05.2026 00:07 1 articles · 2h ago

    Active exploitation of Burst Statistics authentication bypass (CVE-2026-8181) underway

    Exploitation of CVE-2026-8181 in the Burst Statistics WordPress plugin has escalated, with threat actors leveraging an auth bypass to impersonate administrators and obtain full site control. The vulnerability affects versions 3.4.0 and 3.4.1 and stems from flawed handling of authentication outcomes in wp_authenticate_application_password(). Wordfence has observed over 7,400 attack attempts in the past 24 hours, underscoring the immediate operational risk. A patched release, version 3.4.2, was issued on May 12, 2026.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-8181 affects Burst Statistics plugin versions 3.4.0 and 3.4.1, introduced in the April 23, 2026 release.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources

  • The flaw enables unauthenticated attackers to impersonate any known admin user during REST API requests, including core endpoints such as /wp-json/wp/v2/users, by sending a Basic Authentication header with an arbitrary password.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources

  • Exploitation can result in full administrative account takeover, backdoor installation, database access, visitor redirection to malicious sites, malware distribution, and creation of additional rogue admin accounts without prior authentication.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources

  • The root cause is incorrect interpretation of authentication results in wp_authenticate_application_password(), specifically treating WP_Error and null as successful authentication, leading to calls to wp_set_current_user() with attacker-supplied usernames.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources

  • Wordfence discovered the vulnerability on May 8, 2026, and reported that over 7,400 attacks targeting CVE-2026-8181 were blocked in the past 24 hours as of May 14, 2026.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources

  • A patched version, 3.4.2, was released on May 12, 2026. Users are advised to upgrade immediately or disable the plugin to mitigate risk.

    First reported: 15.05.2026 00:07
    1 source, 1 article
    Show sources