200K Sites at Risk: 9.8 CVSS RCE via Burst Statistics Auth Bypass Exploited in the Wild

In a major discovery for the WordPress ecosystem, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, has identified a critical authentication bypass vulnerability in Burst Statistics. This privacy-friendly analytics plugin, which boasts over 200,000 active installations, is currently being targeted by hackers in the wild.

The flaw, tracked as CVE-2026-8181 with a “Critical” CVSS score of 9.8, was introduced on April 23, 2026. Highlighting the dangerous speed of the modern threat landscape, Wordfence reported blocking “5,318 attacks targeting this vulnerability in the past 24 hours”.

The issue resides in the plugin’s integration with the MainWP site management platform. To support remote management, Burst Statistics implements a custom authentication scheme that is invoked during every REST API request—not just those specific to the plugin.

The critical breakdown occurs in the is_mainwp_authenticated() function. When a user provides Basic Authentication credentials, the plugin passes them to a core WordPress function, wp_authenticate_application_password(), to verify them.

The report explains the technical failure: “The critical flaw lies in treating any non-WP_Error return from wp_authenticate_application_password() as successful authentication”. In certain scenarios, such as when Application Passwords are not enabled, the function returns null instead of an error. Because null is not a WP_Error, the plugin’s security check silently passes, even though no password validation ever occurred.

This vulnerability allows unauthenticated attackers who simply know a valid administrator username to fully impersonate that user for the duration of a request by supplying “any arbitrary and incorrect password in a Basic Authentication header”.

Once the “null” check passes, the plugin calls wp_set_current_user(), effectively logging the attacker in. In a worst-case scenario, “an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever” by sending a single request to the WordPress core users endpoint.

The developer has released a patch that fixes the logic error by requiring a valid WP_User object before proceeding with authentication.

• Affected Versions: 3.4.0 to 3.4.1.1.
• The Fix: All users are urged to update to Burst Statistics version 3.4.2 or later immediately.