Burst Statistics flaw opens WordPress sites to admin takeover

A critical Burst Statistics bug is being exploited to hijack WordPress sites through forged administrator requests.

Attackers target popular analytics plugin

Hackers are exploiting CVE-2026-8181, a critical authentication bypass in the Burst Statistics WordPress plugin used on more than 200,000 websites. The plugin is promoted as a privacy-minded analytics alternative for site owners who want traffic insights without Google Analytics.

The vulnerability affects Burst Statistics versions 3.4.0 through 3.4.1.1 and carries a 9.8 CVSS score. Wordfence said its PRISM system found the flaw on May 8, and the vendor issued version 3.4.2 on May 12.

Bug turns fake logins into admin sessions

The issue stems from the plugin’s MainWP-related authentication handling. Under certain REST API requests, Burst Statistics incorrectly treats a failed or incomplete WordPress application password check as valid authentication.

That means an unauthenticated attacker who knows or guesses a real administrator username can send a request with a bogus password and still be treated as that admin for the duration of the request. To complicate matters, the attacker can even create a new administrator account after gaining access.

Exploitation already underway

The risk is not just theoretical either. Wordfence telemetry shows more than 4,000 blocked attacks against CVE-2026-8181 in the last 24 hours, indicating that attackers moved quickly after public disclosure.

Admin usernames are often easier to obtain than site owners expect, appearing in author archives, comments, REST API output or older content. Once inside, attackers could add backdoors, change site settings, steal database content, redirect visitors, create covert admin accounts or push malware.

Site owners should patch immediately

Anyone running Burst Statistics should update immediately to version 3.4.2 or later. Sites that can’t patch right away should disable the plugin until the update can be applied safely.

Administrators should also review user accounts for unfamiliar admins, inspect recent REST API activity and check for unexpected plugin, theme or file changes.