CVE-2026-8181 — a critical authentication-bypass bug in the Burst Statistics WordPress plugin — can let unauthenticated attackers impersonate administrators on sites that run the extension, researchers warn. The plugin is active on roughly 200,000 sites, and evidence of exploitation has already been observed.
CVE-2026-8181 and the Burst Statistics REST API bug
The vulnerability, tracked as CVE-2026-8181, was introduced on April 23 with the release of Burst Statistics version 3.4.0 and persisted in 3.4.1. Wordfence, which discovered the issue on May 8, explains that the flaw allows unauthenticated actors to impersonate known admin users during REST API requests — including WordPress core endpoints such as /wp-json/wp/v2/users — by supplying any arbitrary and incorrect password in a Basic Authentication header.
At the root is an incorrect interpretation of the results returned by the wp_authenticate_application_password() function: the plugin treats a WP_Error (and, in some cases, a null return value) as if authentication had succeeded. That leads the code to call wp_set_current_user() with the attacker-supplied username, effectively impersonating that user for the duration of the REST API request.
How attackers are exploiting exposed or guessed admin names
Attackers can only exploit this bypass if they know a valid administrator username, but Wordfence notes admin usernames are often easy to obtain. “Admin usernames may be exposed in blog posts, comments, or even in public API requests,” the researchers wrote, and they add that attackers can also use brute-force techniques to guess usernames. Once an attacker supplies a valid username in the vulnerable flow, any Basic Authentication password will be accepted for the REST request.
What successful impersonation allows — the immediate risks
Wordfence warns the consequences are severe. “In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever,” the firm wrote. Admin-level access, the researchers note, enables a range of damaging actions: accessing private databases, planting backdoors, redirecting visitors to unsafe locations, distributing malware, creating additional rogue admin users, and other takeover activities.
Scope, mitigation, and evidence of active attacks
Burst Statistics is marketed as a privacy-focused analytics plugin and is active on some 200,000 WordPress sites. The plugin maintainer issued a patched release, version 3.4.2, on May 12, 2026. Wordfence’s public tracker shows the firm has already blocked over 7,400 attacks targeting CVE-2026-8181 in the past 24 hours, underlining that exploitation is not theoretical.
WordPress.org download statistics show 85,000 downloads since the release of 3.4.2; assuming those downloads represent sites updated to the patched version, roughly 115,000 installations remain potentially exposed. Wordfence’s guidance is unambiguous: update to 3.4.2 as soon as possible or disable the plugin.
What this means for technologists, site owners, and end users
- Technologists and security teams: prioritize scanning inventories for Burst Statistics versions 3.4.0 and 3.4.1, and verify whether any REST API endpoints have been invoked by unknown or suspicious actors. Apply the 3.4.2 patch released May 12, 2026, or disable the plugin until patched.
- Site owners and administrators: confirm whether administrator usernames are exposed publicly (in posts, comments, or APIs) and rotate administrator credentials and API keys if compromise is suspected. Investigate audit logs for new administrator accounts or unexpected REST API activity.
- End users and visitors: be alert for unusual redirects, unexpected downloads, or pages that prompt for credentials; those can be indicators of compromised sites using admin-level access to distribute malware or redirect traffic.
The sequence is straightforward and urgent: a logic error in a widely used plugin reduced the requirement for a valid password to a knowledge-only test of a username, attackers have already probed and leveraged that gap, and a patch is available. The unresolved question in the immediate term is how many of the roughly 115,000 remaining installations will be updated before further compromise occurs — and how many already have been. Site operators who run Burst Statistics should treat the update or disable decision as critical and immediate.




