Wordfence researchers disclosed active exploitation of CVE-2026-8181, an authentication bypass in the Burst Statistics WordPress analytics plugin, installed on approximately 200,000 sites. Within 24 hours of Wordfence’s public disclosure, the security firm’s firewall blocked more than 7,400 attacks targeting the vulnerability. An estimated 115,000 sites remain unpatched, still running vulnerable versions of the plugin despite a patch having been available since May 12.
CVE-2026-8181 Lets Unauthenticated Attackers Claim WordPress Administrator Accounts
CVE-2026-8181 is an authentication bypass in Burst Statistics versions 3.4.0 and 3.4.1 that allows unauthenticated attackers to impersonate existing administrator accounts or create entirely new administrator users on affected WordPress installations. The root cause is a logic error in how the plugin handles the return value of wp_authenticate_application_password(): code in the vulnerable versions incorrectly interprets a WP_Error object — which signals an authentication failure — as a successful authentication event, granting the attacker administrator-level access.
Administrator access to a WordPress installation gives an attacker full control: the ability to install arbitrary plugins, modify site content, alter theme files to inject malicious code, access any data stored in the WordPress database accessible to the installation, and potentially pivot to the underlying server depending on file system permissions. Wordfence characterized the impact as providing “full administrator-level access to the WordPress installation.”
Wordfence Timeline: Vulnerability Discovered May 8, Patch Released May 12, Attacks Began at Disclosure
Wordfence discovered CVE-2026-8181 on May 8, 2026. The plugin developer released version 3.4.2 on May 12 to fix the flaw. Wordfence publicly disclosed the vulnerability on May 14, 2026 — the same day active exploitation was confirmed.
Within 24 hours of the May 14 disclosure, Wordfence’s firewall had blocked over 7,400 attack attempts targeting CVE-2026-8181. The rapid attack volume following public disclosure reflects the same pattern seen across other WordPress plugin vulnerabilities: automated scanning tools begin probing all reachable sites for vulnerable plugin versions immediately after a CVE is published, as the simplicity of authentication bypass exploits makes them easy to scan for at scale.
115,000 of 200,000 Plugin Sites Still Running Vulnerable Burst Statistics 3.4.0 or 3.4.1
Wordfence estimated that approximately 115,000 of the roughly 200,000 sites running Burst Statistics have not yet applied the 3.4.2 patch, based on the approximately 85,000 downloads of the patched version recorded since its May 12 release. The gap between patch availability and actual deployment — two days, in this case — created the window that attackers exploited on the day of disclosure.
The scale of unpatched exposure across WordPress plugins with six-figure install counts is a recurring pattern in web security. Burst Statistics is an analytics plugin, meaning it is installed on sites where administrators may not monitor plugin update notifications closely, and where the plugin’s analytics functionality continues operating normally even while the authentication bypass exists, offering no visible indication to site owners that anything is wrong.
Patching Burst Statistics 3.4.2 and Auditing for Signs of CVE-2026-8181 Exploitation
WordPress site administrators running Burst Statistics 3.4.0 or 3.4.1 should update to version 3.4.2 immediately through the WordPress admin panel or via wp-cli. Sites that have not yet updated should be treated as potentially compromised given that active exploitation has been underway since May 14 and targeted 7,400 sites within the first 24 hours.
Post-patch checks should include reviewing the WordPress user table for any administrator accounts added after May 14 that were not created by the site’s legitimate administrators, inspecting recently modified theme and plugin files for injected code, and reviewing web server access logs for requests consistent with authentication bypass attempts. Wordfence’s free plugin can identify exploitation attempts in log data even for sites not running a Wordfence firewall subscription. Sites using a web application firewall should confirm that a rule covering CVE-2026-8181 is active and updated to the most recent signature set.
