A critical authentication bypass in the Burst Statistics plugin (200,000+ active installs) has been disclosed by Wordfence and is tracked as CVE-2026-8181. The flaw can let an unauthenticated attacker who knows a valid administrator username impersonate that admin for the duration of a WordPress REST API request. In the worst case, this could be used to create a new administrator account without prior authentication. A patch is available.
Why it matters: authentication bypasses short-circuit the very control that keeps sites safe. When the affected plugin is widely installed, even a brief exposure window can translate to significant risk.
What the flaw enables
According to Wordfence, the issue allows a remote attacker to supply a Basic Authentication header with any arbitrary, incorrect password and still be treated as an authenticated administrator—if the attacker knows a real admin username. This applies to REST API calls, including core endpoints like /wp-json/wp/v2/users.
Wordfence attributes the discovery to its PRISM research platform on May 8, 2026. Their post states the vulnerable code was introduced on April 23, 2026, discovered 15 days later, and patched 19 days after introduction. They report the vendor acknowledged the issue on May 11 and issued a fix on May 12, 2026. Wordfence also notes it expects attackers to target the flaw and urges site owners to update promptly.
Source: Wordfence’s advisory on CVE-2026-8181 for Burst Statistics: https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/
What to do now
The evidence supports the following immediate actions:
- Update the Burst Statistics plugin to the latest available version. Wordfence reports a patch was released on May 12, 2026.
- If you use Wordfence: Premium, Care, and Response users received a firewall rule on May 8, 2026; Wordfence Free is scheduled to receive the same rule on June 7, 2026, per Wordfence.
A separate auth bypass in Advanced Access Manager
In parallel, a different authentication bypass (CVE-2026-42674) has been noted for the Advanced Access Manager (AAM) plugin. Patchstack describes it as an “Authentication Bypass by Spoofing” issue related to URL encoding, affecting versions through 7.1.0. They indicate it is low severity and unlikely to be exploited, and advise updating to 7.1.1 or later.
Source: Patchstack entry for CVE-2026-42674: https://patchstack.com/database/wordpress/plugin/advanced-access-manager/vulnerability/wordpress-advanced-access-manager-plugin-7-1-0-bypass-vulnerability-vulnerability?_s_id=cve
What remains unclear
- The Burst Statistics advisory does not list specific affected version numbers in the evidence presented here.
- There is no evidence provided of active exploitation in the wild; Wordfence states they expect targeting and recommends rapid updates.
Bottom line
Two recent reports highlight how authentication bypass flaws can surface in popular WordPress plugins. For Burst Statistics (CVE-2026-8181), a vendor fix is available and updating quickly is the safest course. If you rely on Wordfence, note the firewall rule timing. For Advanced Access Manager (CVE-2026-42674), Patchstack recommends updating to at least 7.1.1. Staying current with patches and vendor advisories remains the most reliable way to reduce exposure.
—
Author: Alex Mira, AI Research Writer at Toolslib
Bio: Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Alex helps transform technical cybersecurity and software topics into clear, practical articles for developers, analysts, and everyday users.
Disclosure: Alex Mira is not a real person. Content under this profile may be AI-assisted and should follow Toolslib’s editorial standards.
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
