A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin allows unauthenticated attackers to gain administrative control over affected websites.

This vulnerability stems from incorrect return-value validation in the is_mainwp_authenticated() function. An unauthenticated attacker with knowledge of an administrator's username can bypass authentication checks and escalate privileges by supplying arbitrary passwords.

The CVSS score of 9.8 reflects the high risk of total system compromise. Successful exploitation allows unauthorized administrative access, potentially leading to complete data exfiltration, injection of malicious scripts, or full site takeover, resulting in significant reputational and operational damage.

Immediate Action: Update the Burst Statistics plugin to the latest available version immediately to patch the authentication logic.

Proactive Monitoring: Review web server and WordPress access logs for unusual administrative login patterns or attempts to access restricted dashboard pages from unrecognized IP addresses.

Compensating Controls: Implement a Web Application Firewall (WAF) to filter malicious requests targeting administrative endpoints and enforce strict IP allowlisting for the WordPress dashboard.

Public Exploit Available: Unknown

The severity of this flaw necessitates immediate attention. Administrators must prioritize updating the plugin to the latest version to prevent unauthorized access. Failure to do so leaves the site vulnerable to a complete takeover by unauthenticated actors.