Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1. According to Wordfence, which discovered CVE-2026-8181 on May 8, the flaw allows unauthenticated attackers to impersonate known admin users during REST API requests, and even create rogue admin accounts. “This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” explains Wordfence. “In a worst-case scenario, an attacker could exploit this flaw to create a new administrator-level account with no prior authentication whatsoever.” The root cause is the incorrect interpretation of the ‘wp_authenticate_application_password()’ function results, specifically, treating a ‘WP_Error’ as an indication of successful authentication. However, the researchers explain that WordPress can also return ‘null’ in some cases, which is mistakenly treated as an authenticated request. As a result, the code calls ‘wp_set_current_user()’ with the attacker-supplied username, effectively impersonating that user for the duration of the REST API request.