Hackers are actively exploiting a critical authentication bypass vulnerability in the **Burst Statistics** WordPress plugin to obtain administrator privileges on affected websites. **What is Burst Statistics?** **Burst Statistics** is a privacy-focused analytics plugin used on over 200,000 WordPress sites, marketed as a lightweight alternative to **Google Analytics**. **CVE-2026-8181: The Vulnerability** The vulnerability, tracked as **CVE-2026-8181**, was introduced in version 3.4.0 of the plugin on April 23rd, 2026, and was also present in version 3.4.1. **Wordfence** discovered the flaw on May 8th, 2026, revealing that it allows unauthenticated attackers to impersonate legitimate admin users during REST API requests and even create new, rogue admin accounts. According to **Wordfence**: "This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header." They further explain that an attacker could exploit this flaw to create a new administrator-level account without any prior authentication. **Root Cause Analysis** The root cause lies in the incorrect interpretation of the `wp_authenticate_application_password()` function results. The plugin mistakenly treats a `WP_Error` as a successful authentication. Furthermore, **WordPress** can return 'null' in some cases, which is also incorrectly interpreted as an authenticated request. This leads to the `wp_set_current_user()` function being called with the attacker-supplied username, effectively impersonating that user for the duration of the REST API request. Admin usernames, often exposed in blog posts, comments, or public API requests, can also be guessed using brute-force techniques. **Impact of Admin-Level Access** Gaining admin-level access allows attackers to: * Access private databases * Plant backdoors * Redirect visitors to malicious sites * Distribute malware * Create rogue admin users **Exploitation in the Wild** **Wordfence** warned of expected exploitation, and their threat intelligence indicates that malicious activity targeting **CVE-2026-8181** has already begun. They have blocked over 7,400 attacks targeting the vulnerability in the past 24 hours, highlighting the severity of the threat. **Mitigation Steps** Users of the **Burst Statistics** plugin are strongly advised to upgrade to the patched version, 3.4.2, released on May 12th, 2026, or disable the plugin entirely. **Vulnerable Landscape** **WordPress.org** stats indicate that **Burst Statistics** has had approximately 85,000 downloads since the release of version 3.4.2. This suggests that roughly 115,000 sites remain exposed to potential admin takeover attacks.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)