CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 18, 2026

Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks

Cybersecurity News Archived May 18, 2026 ✓ Full text saved

A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool. Tracked as CVE-2026-8181 with a CVSS score […] The post Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks appeared fi

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks By Abinaya May 18, 2026 A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool. Tracked as CVE-2026-8181 with a CVSS score of 9.8, the vulnerability enables unauthenticated attackers to bypass authentication and impersonate administrator accounts. The issue impacts versions 3.4.0 through 3.4.1.1 and was introduced on April 23, 2026. Notably, it was identified within just 15 days and patched 19 days later, highlighting how AI-driven vulnerability discovery is shrinking the exploitation window. WordPress Plugin Auth Bypass Flaw The vulnerability stems from improper validation in the plugin’s MainWP integration, specifically within the is_mainwp_authenticated() function. This function processes authentication requests via the HTTP Authorization header but fails to verify the credentials’ validity. Due to insecure return-value handling, the plugin treats any non-error response from WordPress’s wp_authenticate_application_password() function as successful authentication. In certain cases, this function returns null instead of an error when authentication fails, allowing malicious requests to pass through unchecked. An attacker can exploit this flaw by sending a crafted REST API request with a valid administrator username and any arbitrary password encoded in a Basic Authentication header. The plugin then sets the current user context to the targeted administrator, effectively granting full privileges for the duration of the request. Successful exploitation allows attackers to perform high-privilege actions without prior authentication. For example, a single request to the /wp-json/wp/v2/users endpoint could create a new administrator account, enabling persistent access and complete site compromise. Because the vulnerability affects all REST API endpoints, attackers can abuse core WordPress functionality beyond the plugin itself, significantly increasing the attack surface. Patch and Mitigation The Burst Statistics team responded rapidly after disclosure. Wordfence initiated responsible disclosure on May 8, shared full details on May 11, and the vendor released a patched version (3.4.2) on May 12, 2026. Users are strongly advised to update immediately to version 3.4.2 or later to mitigate the risk. Wordfence customers using Premium, Care, or Response tiers received firewall protection on May 8, while free users are scheduled to receive the same protection on June 7, 2026. Security experts warn that the simplicity of exploitation and lack of authentication make this vulnerability highly attractive to threat actors. Administrators should audit user accounts, monitor logs, and ensure immediate patching to prevent compromise. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026 Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes 79 Chrome Vulnerabilities Patched, Including 14 Critical One’s – Update Now! Latest News Cyber Security News Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks Cyber Security News Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase Cyber Security News First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days Cyber Security News Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 Cyber Security News JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 18, 2026
    Archived
    May 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗