A critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181, CVSS 9.8) lets unauthenticated attackers impersonate administrators over the REST API — and, in the worst case, create rogue admin accounts with no prior access at all. Burst Statistics is installed on more than 200,000 sites, and attackers moved on it fast: Wordfence has blocked thousands of exploit attempts within a single 24-hour window. If you run an affected version, treat this as an emergency.

What the Vulnerability Is

The flaw lives in the plugin's is_mainwp_authenticated() function, which validates application passwords sent in the HTTP Authorization header. Because of incorrect return-value handling, the check can be made to succeed when it should fail.

The practical result: an unauthenticated attacker who knows a valid administrator username can fully impersonate that administrator for the duration of any REST API request — simply by supplying that username with any arbitrary, incorrect password in a Basic Authentication header. From there, the attacker can act with admin privileges, including creating a brand-new administrator account and taking over the site entirely.

Why It Matters

  • Unauthenticated and critical (CVSS 9.8). No account, no valid password — just a known or guessable admin username, which is often trivial to enumerate on WordPress.
  • Full site takeover. Admin impersonation over REST leads directly to rogue admin creation, plugin/theme edits, and persistent backdoors.
  • Actively exploited at scale. Public proof-of-concept exploits exist, and attackers are spraying the internet — Wordfence telemetry showed thousands of blocked attempts in 24 hours.
  • Large install base. 200,000+ active installs means a very wide attack surface.

Am I Affected?

You are vulnerable if you run Burst Statistics versions 3.4.0 through 3.4.1.1. The bug was introduced on April 23, 2026 with the 3.4.0 release. It is fixed in 3.4.2 (released May 12, 2026). Versions before 3.4.0 do not contain the flawed code.

Remediation

Update immediately

Upgrade Burst Statistics to 3.4.2 or later right now. If you can't update this minute, deactivate and delete the plugin until you can.

Assume compromise if you were exposed

Because this is actively exploited, an unpatched site may already be breached. Check for unexpected administrator accounts (Users → All Users, filter by Administrator), review recently modified plugin/theme files, and audit REST API access logs for suspicious Basic Auth requests.

Harden and recover

If you find a rogue admin or other tampering: rotate all admin passwords and application passwords, force-logout all sessions, reinstall core/plugins/themes from known-good sources, and review scheduled tasks (wp-cron) and the database for injected users or options.

Quick-Win Checklist

  • Update Burst Statistics to 3.4.2+ (or remove it) immediately.
  • List all administrator accounts and delete any you don't recognize.
  • Rotate admin passwords and revoke/regenerate application passwords.
  • Audit REST API logs for Basic Auth requests using admin usernames with bad passwords.
  • Check for modified plugin/theme files and unexpected scheduled tasks.
  • If breached, rebuild from clean sources rather than just deleting the rogue account.

Sources