Critical Burst Statistics WordPress Plugin Flaw Under Active Attack

A critical security flaw in the Burst Statistics WordPress plugin is under active attack. Hackers are exploiting an authentication bypass vulnerability that grants them admin-level access to websites. If your site runs this plugin, you need to act immediately.

Burst Statistics is a privacy-focused analytics tool installed on approximately 200,000 WordPress sites. The plugin markets itself as a lightweight alternative to Google Analytics. However, a serious security issue now threatens sites using recent versions.

What the Burst Statistics Vulnerability Does

The flaw, identified as CVE-2026-8181, allows attackers to impersonate administrators without proper authentication. The vulnerability was introduced on April 23 with version 3.4.0 of the plugin. Version 3.4.1 also contained the vulnerable code.

According to Wordfence, which discovered the issue on May 8, unauthenticated attackers can impersonate known admin users during REST API requests. They can even create rogue administrator accounts on your site.

The security firm explains that attackers who know a valid administrator username can fully impersonate that administrator. They accomplish this by supplying any arbitrary password in a Basic Authentication header during REST API requests. This includes WordPress core endpoints such as /wp-json/wp/v2/users.

How the Authentication Bypass Works

The root cause involves incorrect interpretation of the wp_authenticate_application_password() function results. Specifically, the plugin treats a WP_Error response as successful authentication. However, WordPress can also return null in certain cases, which the plugin mistakenly treats as an authenticated request.

Consequently, the code calls wp_set_current_user() with the attacker-supplied username. This effectively impersonates that user for the duration of the REST API request. Attackers can find admin usernames in blog posts, comments, or public API requests. Additionally, they can use brute-force techniques to guess usernames.

Risks of Admin-Level Access

Once attackers gain admin-level access, they can cause significant damage to your site. They can access private databases and plant backdoors on your site. Furthermore, they can redirect visitors to unsafe locations and distribute malware through your website.

Attackers can also create additional rogue admin users. This gives them persistent access even if you discover and remove their initial entry point. The potential for damage to your business and reputation is substantial.

Active Exploitation of the Burst Statistics Vulnerability

Wordfence warned that they expected this vulnerability to be targeted by attackers. Their prediction proved accurate. The security firm has already blocked over 7,400 attacks targeting CVE-2026-8181 in the past 24 hours alone.

This attack volume indicates significant and ongoing malicious activity. Hackers are actively scanning for vulnerable sites running outdated versions of Burst Statistics. Every hour you delay updating increases your risk of compromise.

What You Need to Do Right Now

Users of Burst Statistics must upgrade to version 3.4.2 immediately. The plugin developer released this patched version on May 12, 2026. Alternatively, if you cannot update right away, disable the plugin on your site until you can apply the patch.

WordPress.org statistics show that Burst Statistics had 85,000 downloads since the release of version 3.4.2. Assuming all those downloads were for the latest version, approximately 115,000 sites remain exposed to admin takeover attacks. Do not let your site be one of them.

Check your WordPress dashboard now. Navigate to Plugins and look for Burst Statistics. If the version number shows 3.4.0 or 3.4.1, update immediately. Your site security depends on it.

Original Source: www.bleepingcomputer.com