Hackers Exploit Auth Bypass Flaw in Burst Statistics WordPress Plugin

Vulnerability in Burst Statistics WordPress plugin exploited by attackers

Cybercriminals are actively exploiting a significant authentication bypass flaw in the Burst Statistics plugin for WordPress. This vulnerability allows attackers to gain administrator privileges on affected websites without authentication. The flaw, designated as CVE-2026-8181, was introduced in version 3.4.0, released on April 23, and persists in version 3.4.1. Since its discovery, malicious activity targeting sites with this vulnerability has been on the rise, with over 7,400 attacks blocked in a 24-hour period.

Details of the vulnerability

The core issue lies in how the plugin processes authentication during REST API requests. The code incorrectly interprets the result of the ‘wp_authenticate_application_password()’ function. Specifically, it treats a ‘WP_Error’ as a successful login, which is not the case. Additionally, the function can return ‘null’ in certain situations, which the code also mistakes for valid authentication. This logic flaw enables an attacker to impersonate any known administrator by supplying the username and any password in the Basic Authentication header during REST API calls.

This flaw effectively allows an attacker to perform impersonation of administrator users without any prior authentication. Once impersonated, the attacker can execute any action available to an administrator. This includes creating new admin accounts, accessing private data, planting backdoors, redirecting visitors, or distributing malware.

Impact and potential consequences

Exploiting this vulnerability grants full control over the affected WordPress site at the administrator level. Attackers can modify or delete content, access sensitive databases, or compromise the site to serve malicious purposes. The exposure of admin usernames in public comments, posts, or API responses can facilitate brute-force attacks to identify valid administrator accounts. This increases the likelihood of persistent unauthorized access if the vulnerability remains unpatched.

Who is involved

The plugin in question, Burst Statistics, is marketed as a privacy-friendly alternative to Google Analytics. It has been downloaded over 85,000 times since the release of version 3.4.2, which patches the vulnerability. The plugin is active on approximately 200,000 WordPress sites. The vulnerability was discovered by Wordfence, a cybersecurity firm specializing in WordPress security, which promptly issued a warning and began monitoring malicious activity.

Current threat landscape

Since the disclosure, attackers have quickly adapted, with automated scripts scanning for sites running vulnerable versions. The attack volume indicates a concerted effort to compromise sites en masse. Malicious actors are attempting to create rogue administrator accounts, access private data, and embed malicious code. The rapid response from Wordfence shows the severity of the threat, emphasizing the importance of immediate action for site owners.

Mitigation strategies

Site administrators should prioritize updating to the latest version of the plugin, which is version 3.4.2, released on May 12, 2026. This version patches the vulnerability and disables the flawed authentication logic. If updating is not immediately feasible, disabling the plugin temporarily reduces the attack surface. For those concerned about security, consider using a security plugin with active monitoring or web application firewall rules that can block suspicious REST API activity.

Implementing strong access controls and limiting REST API access can further reduce risk. Restrict API endpoints to trusted IP addresses or authenticated users where possible. Regularly review user accounts for unknown or suspicious entries. Employing a reputable security solution such as Malwarebytes can help detect and block malicious activity, especially if the site has been targeted.

For additional protection, site owners should consider using a comprehensive security suite that offers real-time monitoring, malware scanning, and firewall rules specifically tailored for WordPress environments. These measures can prevent attackers from exploiting known vulnerabilities and provide early detection of suspicious activity.

Conclusion

The exploitation of the Burst Statistics WordPress plugin vulnerability underscores the importance of keeping plugins updated and monitoring for suspicious activity. With over 115,000 sites potentially still exposed to the risk, immediate action is critical. WordPress administrators should verify their plugin versions, disable or remove vulnerable plugins, and adopt best security practices to mitigate the risk of unauthorized access and data breaches.