Back

Critical Auth Bypass in Burst Statistics Plugin Enables Admin Takeover

Severity: High (Score: 72.0)

Sources: www.wordfence.com, Bleepingcomputer, Scworld

Summary

Hackers are exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin, tracked as CVE-2026-8181. This flaw, introduced in version 3.4.0 and persisting in 3.4.1, affects approximately 200,000 WordPress sites. Discovered by Wordfence, the vulnerability allows unauthenticated attackers to impersonate existing administrators or create new admin accounts by exploiting REST API requests. Attackers can achieve this by supplying incorrect credentials in a Basic Authentication header, leading to unauthorized administrative actions. Over 7,400 attacks targeting this vulnerability have been blocked in the past 24 hours, indicating significant exploitation activity. Users are strongly advised to update to version 3.4.2 or disable the plugin to mitigate risks. The vulnerability poses severe risks, including data theft and malware distribution. Key Points: • CVE-2026-8181 allows admin-level access via authentication bypass in Burst Statistics plugin. • The flaw affects around 200,000 WordPress sites, with over 7,400 attacks blocked in one day. • Users must update to version 3.4.2 or disable the plugin to prevent exploitation.

Key Entities

  • Brute Force (attack_type)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • CVE-2026-8181 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • wordpress.org (domain)
  • T1078 - Valid Accounts (mitre_attack)
  • T1110 - Brute Force (mitre_attack)
  • T1136 - Create Account (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Burst Statistics (platform)
  • WordPress (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed