Burst Statistics WordPress plugin flaw exposes 200,000 sites to admin takeover attacks

A critical vulnerability in the Burst Statistics WordPress plugin can let unauthenticated attackers impersonate administrator accounts and take over vulnerable websites.

The flaw is tracked as CVE-2026-8181 and affects Burst Statistics versions 3.4.0 through 3.4.1.1. The plugin has more than 200,000 active installations and is marketed as a privacy-friendly analytics alternative for WordPress sites.

The issue has already been patched in Burst Statistics 3.4.2. Site owners should update immediately because Wordfence says attacks targeting the vulnerability are already being blocked.

What happened with Burst Statistics?

Wordfence says its autonomous vulnerability research platform, PRISM, discovered the authentication bypass on May 8, 2026. The vulnerable code had been introduced on April 23, 2026, with Burst Statistics 3.4.0.

The flaw was also present in version 3.4.1 and versions through 3.4.1.1. Wordfence disclosed the issue to the Burst Statistics team, and the vendor released version 3.4.2 on May 12.

The fast patch matters, but many WordPress sites do not update plugins immediately. That leaves exposed sites open to account takeover, rogue administrator creation, and full site compromise.

Detail	Information
CVE	CVE-2026-8181
Plugin	Burst Statistics
Plugin type	Privacy-friendly WordPress analytics
Affected versions	3.4.0 through 3.4.1.1
Patched version	3.4.2
Severity	Critical, CVSS 9.8
Attack type	Authentication bypass to administrator impersonation

How the authentication bypass works

The vulnerability sits in the plugin’s MainWP integration, where Burst Statistics processes authentication through the HTTP Authorization header.

The affected function does not correctly handle the result of WordPress application password authentication. In some failed authentication cases, WordPress can return null instead of a normal error object.

Burst Statistics then treats that response incorrectly and sets the current user context to the username supplied by the attacker. If the attacker provides a valid administrator username with any random password in a Basic Authentication header, the request can run as that administrator.

Why the flaw can lead to full site takeover

The most serious impact comes from WordPress REST API access. Wordfence says an attacker can impersonate an administrator for the duration of a REST API request.

In a worst-case scenario, the attacker can send a request to a core endpoint such as /wp-json/wp/v2/users and create a new administrator account. That gives the attacker persistent access even after the original request ends.

Once attackers create their own administrator account, they can install malicious plugins, add backdoors, redirect visitors, steal data, modify content, or lock the real owner out of the site.

• Create a new administrator account.
• Change site settings and user roles.
• Install malicious plugins or themes.
• Inject spam, redirects, or malware.
• Access sensitive site data.
• Maintain persistence after the first request.

Attackers still need an administrator username

The vulnerability does not require a password, but attackers need to know or guess a valid administrator username.

That condition does not provide strong protection. Many WordPress sites expose usernames through author archives, blog posts, comments, REST API responses, leaked credentials, or predictable naming patterns.

Attackers can also brute-force likely usernames before attempting the authentication bypass. For that reason, hiding usernames alone cannot replace the plugin update.

Requirement	What it means
Authentication	Not required
Administrator password	Not required
Administrator username	Needed for impersonation
User interaction	Not required from the site owner
Vulnerable plugin version	Burst Statistics 3.4.0 through 3.4.1.1

Wordfence says attacks are already happening

Wordfence’s vulnerability database shows thousands of attacks targeting CVE-2026-8181 in a 24-hour period. BleepingComputer also reported active exploitation attempts against vulnerable sites.

This makes the update more urgent than a normal plugin patch. Public exploit details and active probing usually shorten the time site owners have before automated attacks spread.

Sites running an affected version should assume attackers may scan for the plugin and try known administrator usernames.

Patch timeline

The timeline shows how quickly the issue moved from discovery to patching. It also shows how briefly a vulnerable plugin release can sit in the ecosystem before attackers start looking for it.

Wordfence says PRISM found the flaw on May 8 and the Burst Statistics team released a full patch on May 12. Premium Wordfence users received a firewall rule on the discovery date, while free users are scheduled to receive the same protection on June 7.

1. April 23, 2026: Burst Statistics 3.4.0 introduced the vulnerable code.
2. May 8, 2026: PRISM discovered and Wordfence validated the vulnerability.
3. May 8, 2026: Wordfence Premium, Care, and Response customers received firewall protection.
4. May 11, 2026: Wordfence sent full disclosure details to the vendor.
5. May 12, 2026: Burst Statistics 3.4.2 was released with the fix.
6. June 7, 2026: Wordfence Free users are scheduled to receive the firewall rule.

What site owners should do now

WordPress administrators should update Burst Statistics to version 3.4.2 or later immediately. Updating the plugin is the main fix.

After updating, site owners should check whether any unknown administrator accounts were created after the vulnerable versions were installed. They should also review recent REST API activity, login logs, plugin changes, and theme file modifications.

If a site ran a vulnerable version and shows signs of compromise, the safest response is to rotate passwords, remove unknown users, audit plugins, scan for malware, and restore from a clean backup if needed.

• Update Burst Statistics to 3.4.2 or later.
• Confirm that the update completed successfully.
• Check the Users page for unknown administrator accounts.
• Review recent plugin, theme, and settings changes.
• Inspect access logs for suspicious REST API requests.
• Reset administrator passwords if compromise is suspected.
• Rotate application passwords and API keys.
• Run a malware scan on the site.

How to check whether your site uses a vulnerable version

Site owners can check the plugin version from the WordPress dashboard. The affected versions are 3.4.0, 3.4.1, and 3.4.1.1.

If automatic plugin updates are enabled, the site may already have version 3.4.2 or newer. Administrators should still verify the installed version rather than assuming the update succeeded.

Agencies and hosting providers should search across all managed sites because the same plugin may run on many client installations.

1. Log in to the WordPress dashboard.
2. Go to Plugins.
3. Find Burst Statistics.
4. Check the version number.
5. Update immediately if the version is 3.4.0 through 3.4.1.1.
6. Recheck the version after the update finishes.

Why this flaw matters for WordPress security

Authentication bypass flaws are among the most dangerous WordPress plugin vulnerabilities because they can skip normal login protections entirely.

In this case, the attacker does not need a password, a subscriber account, or access to the admin panel. A crafted REST API request can be enough if the site runs a vulnerable version and the attacker knows a valid administrator username.

The incident also shows how security tools are changing vulnerability discovery. Wordfence says PRISM found the issue 15 days after the vulnerable code was introduced, reducing the time the flaw remained unknown. Site owners still need fast patching to close the exposure window.

FAQ