Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical vulnerability in a widely used WordPress plugin has exposed<\/a> over 200,000 websites to full account takeover, raising urgent concerns across the security community.<\/p>\n Discovered on May 8, 2026, by Wordfence\u2019s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool.<\/p>\n Tracked as CVE-2026-8181 with a CVSS score of 9.8, the vulnerability enables unauthenticated attackers to bypass authentication and impersonate administrator accounts.<\/p>\n The issue impacts versions 3.4.0 through 3.4.1.1 and was introduced on April 23, 2026.<\/p>\n Notably, it was identified within just 15 days and patched 19 days later, highlighting how AI-driven vulnerability<\/a> discovery is shrinking the exploitation window.<\/p>\n The vulnerability stems from improper validation in the plugin\u2019s MainWP integration, specifically within the is_mainwp_authenticated() function.<\/p>\n This function processes authentication requests via the HTTP Authorization header<\/a> but fails to verify the credentials\u2019 validity.<\/p>\n Due to insecure return-value handling, the plugin treats any non-error response from WordPress\u2019s wp_authenticate_application_password() function as successful authentication.<\/p>\n In certain cases, this function returns null instead of an error when authentication fails, allowing malicious requests to pass through unchecked.<\/p>\n An attacker can exploit this flaw by sending a crafted REST API request with a valid administrator username and any arbitrary password encoded in a Basic Authentication header.<\/p>\n The plugin then sets the current user context to the targeted administrator, effectively granting full privileges for the duration of the request.<\/p>\n Successful exploitation allows attackers to perform high-privilege actions without prior authentication.<\/p>\n For example, a single request to the \/wp-json\/wp\/v2\/users endpoint could create a new administrator account, enabling persistent access and complete site compromise.<\/p>\n Because the vulnerability affects all REST API endpoints, attackers can abuse core WordPress functionality beyond the plugin itself, significantly increasing the attack surface.<\/p>\n The Burst Statistics team responded rapidly after disclosure. Wordfence initiated responsible disclosure<\/a> on May 8, shared full details on May 11, and the vendor released a patched version (3.4.2) on May 12, 2026.<\/p>\n Users are strongly advised to update immediately to version 3.4.2 or later to mitigate the risk.<\/p>\n Wordfence customers using Premium, Care, or Response tiers received firewall protection<\/a> on May 8, while free users are scheduled to receive the same protection on June 7, 2026.<\/p>\n Security experts warn that the simplicity of exploitation and lack of authentication make this vulnerability highly attractive to threat actors.<\/p>\n Administrators should audit user accounts, monitor logs, and ensure immediate patching to prevent compromise.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWordPress Plugin Auth Bypass Flaw<\/strong><\/h2>\n
Patch and Mitigation<\/strong><\/h2>\n
<\/ul>\n