Ethical Hacking News
Hackers have exposed a critical authentication bypass vulnerability within the Burst Statistics WordPress plugin, allowing them to impersonate admin users and gain access to sensitive data. With over 115,000 sites still vulnerable, it's crucial that users upgrade to the patched release or disable the plugin immediately to protect themselves from potential threats.
Wordfence discovered a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin. Unauthenticated attackers can impersonate known admin users and gain unauthorized access to websites via REST API requests. The vulnerability lies in incorrect interpretation of 'wp_authenticate_application_password()' function results. Users are advised to upgrade to version 3.4.2 or disable the plugin on their site to prevent attacks. The discovery highlights the importance of keeping software up-to-date and monitoring for potential security vulnerabilities.
In a stark reminder of the ever-present threat that lurks in the shadows of digital realms, a recent discovery by the cybersecurity firm Wordfence has shed light on a critical authentication bypass vulnerability within the Burst Statistics WordPress plugin. This seemingly innocuous tool, touted as a lightweight alternative to Google Analytics for privacy-focused analytics, has been found vulnerable to exploitation by hackers.
As of April 23, with the release of version 3.4.0 of the plugin, a devastating flaw was introduced that allows unauthenticated attackers to impersonate known admin users during REST API requests. This means that malicious actors can create rogue admin accounts and gain unauthorized access to websites. Moreover, an attacker who knows a valid administrator username can fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints.
The root cause of this vulnerability lies in the incorrect interpretation of the 'wp_authenticate_application_password()' function results. Specifically, the code incorrectly treats a 'WP_Error' as an indication of successful authentication. However, WordPress can also return 'null' in certain cases, which is mistakenly treated as an authenticated request. As a result, the code calls 'wp_set_current_user()' with the attacker-supplied username, effectively impersonating that user for the duration of the REST API request.
The exposure of admin usernames may occur in blog posts, comments, or even in public API requests. However, attackers can also use brute-force techniques to guess these usernames. Admin-level access grants attackers the ability to access private databases, plant backdoors, redirect visitors to unsafe locations, distribute malware, create rogue admin users, and more.
According to Wordfence, malicious activity has already begun targeting this vulnerability. The firm has blocked over 7,400 attacks in the past 24 hours alone, indicating that the exploit is significant. It is crucial for users of the Burst Statistics plugin to upgrade to the patched release, version 3.4.2, released on May 12, 2026, or disable the plugin on their site.
Furthermore, this discovery serves as a stark reminder of the importance of keeping software up-to-date and monitoring for potential security vulnerabilities. With roughly 115,000 sites exposed to admin takeover attacks remaining after the release of version 3.4.2, it is imperative that users take immediate action to protect themselves from these potential threats.
In light of this vulnerability, cybersecurity experts are urging individuals to exercise extreme caution when navigating their digital landscapes. As AI-powered exploits continue to rise in sophistication and frequency, the need for autonomous, context-rich validation systems has never been more pressing.
Related Information:
https://www.ethicalhackingnews.com/articles/Hacking-the-Backdoor-Burst-Statistics-WordPress-Plugin-Vulnerability-Exposed-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin/
Published: Thu May 14 17:22:19 2026 by llama3.2 3B Q4_K_M
