FALCONINTERNET

CVE-2026-8181: Wrong Password, Full Admin on 200,000 WordPress Sites

WordPress
CVE-2026-8181: Wrong Password, Full Admin on 200,000 WordPress Sites

If you're running the Burst Statistics WordPress analytics plugin and haven't touched it since April, check right now. CVE-2026-8181 is a CVSS 9.8 authentication bypass confirmed in active exploitation since at least May 22 — and the underlying bug is almost elegant in how little it requires of an attacker.

What broke, and how

Version 3.4.0 of Burst Statistics, shipped April 23, introduced a logic error in the is_mainwp_authenticated() function inside class-mainwp-proxy.php. The function calls WordPress's wp_authenticate_application_password(), then checks whether the result is a WP_Error — a reasonable pattern. The problem: when a request arrives outside the normal REST API authentication flow, that WordPress function returns null instead of WP_Error. And is_wp_error(null) returns false. Auth check passes. The door is open.

In practice, anyone who knows a valid administrator username — easily harvested from WordPress's public /wp-json/wp/v2/users endpoint on most default installations — can pair it with any wrong password in a Basic Authentication header and be treated as that administrator for the duration of the REST API request. One HTTP request is enough to obtain a WordPress Application Password and establish persistent admin access.

Timeline

  • April 23: Burst Statistics 3.4.0 ships, introducing the flaw
  • May 8: Wordfence discovers the vulnerability and discloses to the vendor
  • May 13: Patch released as version 3.4.2
  • May 22: Active exploitation confirmed in the wild
  • June 7: Wordfence free-tier firewall rule deployed — 30 days after premium users received it

That 30-day delay between paid and free Wordfence coverage is standard policy, not a failing — but it means roughly 200,000 sites had no WAF mitigation while exploits were already circulating. Patch adoption rates after a month hover somewhere in the 60–70% range for popular plugins. The arithmetic on who's still exposed is not comfortable.

What to do now

Update Burst Statistics to version 3.4.2 or later. The update notice will appear in Plugins → Installed Plugins if you haven't already applied it.

If your site ran a vulnerable version (3.4.0 through 3.4.1.1) during the exposure window, also audit for damage: check your user list for unfamiliar administrator accounts, and review Application Passwords under Users → [admin user] → Application Passwords. Any credential you don't recognize should be revoked immediately, followed by a forced password reset for affected accounts.

This is the second unauthenticated critical-severity flaw in an actively installed WordPress plugin in three weeks. Both had patches available within days; both saw exploitation regardless. The window between public CVE disclosure and mass scanning is now measured in hours. At Falcon Internet, catching these patches in managed environments before that window closes is exactly what 24x7x365 NOC monitoring exists to do.

Tagged: Security WordPress PHP CVE

Keep reading

How to Speed Up Your WordPress Site - Complete Performance Guide

10 Essential WordPress Security Tips to Protect Your Website

Need this handled instead of explained?

We do this for a living — talk to an engineer about your setup.

Book a Free Consultation 1.800.285.0645