On May 8, 2026, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations. The vulnerability was introduced in the code on April 23, 2026, discovered just 15 days later, and patched 19 days later, highlighting the positive impact that AI can have on reducing the window for attackers to find and target new vulnerabilities in WordPress.
This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header. In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later, on June 7, 2026.
We initiated disclosure on May 8th, 2026 and sent the full disclosure details to the Burst Statistics Team on May 11, 2026, through our Wordfence Vulnerability Management Portal. The vendor acknowledged the report on May 11, 2026, and released a patch just one day later, on May 12, 2026. We commend the Burst Statistics Team for their rapid response and exceptionally timely patch.
We expect this vulnerability to be targeted by attackers and, as such, updating to the latest version as soon as possible is critical. We urge users to update their sites to the latest patched version of Burst Statistics, version 3.4.2 at the time of this publication.
Vulnerability Summary from Wordfence Intelligence
Technical Analysis
Unfortunately, insecure return-value handling in the plugin’s MainWP integration allows unauthenticated attackers to impersonate any administrator for the lifetime of a REST API request.
Burst Statistics includes a proxy integration with the MainWP site management platform, and to support remote management requests it implements a custom HTTP authentication scheme. The entry point for this scheme is the has_admin_access() method in includes/Traits/trait-admin-helper.php.
This method is invoked during Burst’s bootstrap for every REST API request, not just Burst-specific endpoints. When the incoming request carries the X-BurstMainWP: 1 header, has_admin_access() immediately delegates to the is_mainwp_authenticated() method of the MainWP_Proxy class, as shown on line 202 and line 205 of trait-admin-helper.php:
if ( isset( $_SERVER['HTTP_X_BURSTMAINWP'] ) && $_SERVER['HTTP_X_BURSTMAINWP'] === '1' ) {
$mainwp_proxy = new BurstFrontendMainWP_Proxy();
if ( $mainwp_proxy->is_mainwp_authenticated() ) {
return burst_loader()->has_admin_access = true;
}
The source of attacker-controlled input is the Authorization HTTP header, which is read without restriction on line 314 of includes/Frontend/class-mainwp-proxy.php. The function decodes the Base64-encoded Basic credentials and splits them into a username and a password, both of which are fully attacker-supplied. It then passes these values to WordPress core’s wp_authenticate_application_password() function:
public function is_mainwp_authenticated(): bool {
$auth_header = sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? '' ) );
if ( ! empty( $auth_header ) && stripos( $auth_header, 'basic ' ) === 0 ) {
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
$credentials = base64_decode( substr( $auth_header, 6 ), true );
if ( ! $credentials ) {
return false;
}
$parts = explode( ':', $credentials, 2 );
if ( count( $parts ) !== 2 ) {
return false;
}
$username = $parts[0];
$password = $parts[1];
$is_valid = wp_authenticate_application_password( null, $username, $password );
if ( is_wp_error( $is_valid ) ) {
return false;
}
$user = get_user_by( 'login', $username );
if ( ! $user || ! user_can( $user, 'manage_burst_statistics' ) ) {
return false;
}
wp_set_current_user( $user->ID );
return true;
}
return false;
}
The critical flaw lies in treating any non-WP_Error return from wp_authenticate_application_password() as successful authentication. WordPress core does not guarantee that this function returns a WP_Error on authentication failure. It may return the original $input_user unchanged, including null like in this case, when Application Passwords are not in use or when the current request is not considered an API request. Because null is not a WP_Error, the plugin’s guard silently passes even though no password validation occurred. The implementation should instead require $is_valid instanceof WP_User before proceeding, which the author implemented in the patched version.
Because the application password returns null in the is_mainwp_authenticated() function, passing the error check, wp_set_current_user( $user->ID ) is called on line 336, setting the globally authenticated user for the entire request to whichever administrator username the attacker provided. At that point, any WordPress capability check, including those performed by WordPress core’s own REST API endpoints, sees a fully authenticated administrator.
An attacker who knows a single valid admin username can therefore send a single HTTP request with a fake password to any REST endpoint, such as POST /wp-json/wp/v2/users, and create a new administrator account with no real credentials.
Disclosure Timeline
May 8, 2026 – PRISM discovered the Authentication Bypass vulnerability in Burst Statistics.
May 8, 2026 – We validated the discovery and confirmed the proof-of-concept exploit.
May 8, 2026 – We initiated disclosure with the vendor.
May 8, 2026 – Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to provide added protection against any exploits targeting this vulnerability.
May 11, 2026 – Full disclosure details were sent to the Burst Statistics Team through our Wordfence Vulnerability Management Portal.
May 11, 2026 – The vendor acknowledged the report and began working on a fix.
May 12, 2026 – The fully patched version of the plugin, 3.4.2, was released.
June 7, 2026 – Wordfence Free users will receive the same firewall protection.
Conclusion
In this blog post, we detailed an Authentication Bypass vulnerability within the Burst Statistics plugin affecting versions 3.4.0 to 3.4.1.1. This vulnerability allows unauthenticated threat actors with knowledge of a valid administrator username to fully impersonate that administrator across any REST API request, enabling actions such as creating new administrator accounts with no prior authentication. The vulnerability has been addressed in version 3.4.2 of the plugin.
We encourage WordPress users running Burst Statistics to verify that their sites are updated to version 3.4.2 or later as soon as possible, given the unauthenticated nature of this vulnerability and the level of access it can grant to attackers.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later, on June 7, 2026.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin appeared first on Wordfence.