Hackers are actively exploiting a critical security flaw in the WordPress plugin Burst Statistics that can allow them to gain admin-level access to vulnerable websites.

Burst Statistics is a privacy-focused analytics plugin used on around 200,000 WordPress websites. It is promoted as a lightweight alternative to Google Analytics, but a recently introduced vulnerability has put many sites at risk.

The flaw is tracked as CVE-2026-8181 and was introduced on April 23 with the release of Burst Statistics version 3.4.0. The same vulnerable code was also present in version 3.4.1.

Security firm Wordfence discovered the issue on May 8 and said the vulnerability allows unauthenticated attackers to impersonate known administrator users during REST API requests. In some cases, attackers could even create new rogue admin accounts without needing any valid login credentials.

According to Wordfence, attackers only need to know a valid administrator username. They can then send a Basic Authentication header with any incorrect password and still impersonate that administrator for the duration of a REST API request. This includes access to WordPress core endpoints such as the users API.

In the worst-case scenario, an attacker could use the flaw to create a new administrator-level account without any prior authentication.

The issue comes from the plugin incorrectly handling the result of WordPress’ wp_authenticate_application_password() function. The vulnerable code wrongly treats certain responses as successful authentication, allowing the attacker-supplied username to be set as the current user during the request.

READ
PirloTV Sports Piracy Network Hit as Authorities Shut Down 44 Streaming Domains

Admin usernames can often be exposed through blog posts, comments, public API requests, or guessed through brute-force attempts. Once attackers gain admin-level access, they can view private data, plant backdoors, redirect visitors to malicious websites, spread malware, or create additional admin accounts.

Wordfence warned that the flaw was likely to be targeted by attackers and urged users to update immediately. Its tracker now shows that exploitation has already started, with more than 7,400 attacks targeting CVE-2026-8181 blocked in the past 24 hours.

Users of Burst Statistics should update to version 3.4.2, which was released on May 12, 2026. Website owners who cannot update right away are advised to disable the plugin until they can safely install the patched version.

WordPress.org data shows that Burst Statistics has been downloaded 85,000 times since version 3.4.2 was released. Assuming those downloads were for the latest patched version, around 115,000 websites may still remain exposed to possible admin takeover attacks.


Buy ExpressVPN with PayPal or Credit Card

Advertisement