FHN 
A critical vulnerability in a popular WordPress plugin has put more than 200,000 websites at risk of unauthorized access. The issue was discovered in the Burst Statistics plugin, a privacy-focused analytics tool widely used across WordPress environments.
Security researchers from Wordfence identified the flaw and warned that attackers could gain administrator-level access without needing valid login credentials.
Authentication Bypass Creates Major Risk
The vulnerability, tracked as CVE-2026-8181, affects Burst Statistics versions 3.4.0 through 3.4.1.1. It carries a critical CVSS score of 9.8 due to the ease of exploitation and the level of access it provides.
The issue is linked to improper authentication handling within the plugin’s MainWP integration. In certain cases, the plugin incorrectly accepts invalid authentication responses as successful, allowing attackers to bypass security checks.
By sending specially crafted requests to WordPress REST API endpoints, attackers can impersonate an administrator if they know a valid admin username. No password cracking or credential theft is required.
This significantly lowers the barrier for exploitation and increases the risk of automated internet-wide attacks targeting vulnerable websites.
Potential Website Takeover and Security Response
Once exploited, attackers could create new administrator accounts and gain persistent access to the website. From there, they may modify content, inject malicious code, redirect visitors, or deploy additional malware.
Because the attack only requires knowledge of an administrator username, exposed websites could become easy targets for mass scanning campaigns.
Researchers acted quickly after discovering the issue, and firewall protections were rapidly deployed for users of Wordfence security products. The plugin developer also responded quickly by releasing version 3.4.2, which properly validates authenticated WordPress user sessions before granting access.
Website owners using the Burst Statistics plugin are strongly advised to update immediately to the latest patched version to prevent unauthorized access and possible site compromise.
About the Author
