Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
Cybersecurity NewsArchived May 18, 2026✓ Full text saved
A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool. Tracked as CVE-2026-8181 with a CVSS score […] The post Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks appeared fi
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
By Abinaya
May 18, 2026
A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community.
Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool.
Tracked as CVE-2026-8181 with a CVSS score of 9.8, the vulnerability enables unauthenticated attackers to bypass authentication and impersonate administrator accounts.
The issue impacts versions 3.4.0 through 3.4.1.1 and was introduced on April 23, 2026.
Notably, it was identified within just 15 days and patched 19 days later, highlighting how AI-driven vulnerability discovery is shrinking the exploitation window.
WordPress Plugin Auth Bypass Flaw
The vulnerability stems from improper validation in the plugin’s MainWP integration, specifically within the is_mainwp_authenticated() function.
This function processes authentication requests via the HTTP Authorization header but fails to verify the credentials’ validity.
Due to insecure return-value handling, the plugin treats any non-error response from WordPress’s wp_authenticate_application_password() function as successful authentication.
In certain cases, this function returns null instead of an error when authentication fails, allowing malicious requests to pass through unchecked.
An attacker can exploit this flaw by sending a crafted REST API request with a valid administrator username and any arbitrary password encoded in a Basic Authentication header.
The plugin then sets the current user context to the targeted administrator, effectively granting full privileges for the duration of the request.
Successful exploitation allows attackers to perform high-privilege actions without prior authentication.
For example, a single request to the /wp-json/wp/v2/users endpoint could create a new administrator account, enabling persistent access and complete site compromise.
Because the vulnerability affects all REST API endpoints, attackers can abuse core WordPress functionality beyond the plugin itself, significantly increasing the attack surface.
Patch and Mitigation
The Burst Statistics team responded rapidly after disclosure. Wordfence initiated responsible disclosure on May 8, shared full details on May 11, and the vendor released a patched version (3.4.2) on May 12, 2026.
Users are strongly advised to update immediately to version 3.4.2 or later to mitigate the risk.
Wordfence customers using Premium, Care, or Response tiers received firewall protection on May 8, while free users are scheduled to receive the same protection on June 7, 2026.
Security experts warn that the simplicity of exploitation and lack of authentication make this vulnerability highly attractive to threat actors.
Administrators should audit user accounts, monitor logs, and ensure immediate patching to prevent compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026
Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
Malicious JPEG Images Could Trigger PHP Memory Safety Vulnerabilities
New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
79 Chrome Vulnerabilities Patched, Including 14 Critical One’s – Update Now!
Latest News
Cyber Security News
Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
Cyber Security News
Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase
Cyber Security News
First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
Cyber Security News
Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2
Cyber Security News
JDownloader Website Compromised to Distribute Malicious Windows and Linux Installers