According to Bleeping Computer, hackers are exploiting a critical authentication bypass vulnerability in the popular WordPress plugin Burst Statistics, potentially granting them administrative access to websites.The flaw, identified as CVE-2026-8181, was introduced in version 3.4.0 and persists in 3.4.1 of the Burst Statistics plugin, which is installed on approximately 200,000 WordPress sites. Discovered by Wordfence, the vulnerability allows unauthenticated attackers to impersonate existing administrators or create new admin accounts by exploiting how the plugin handles REST API requests and authentication. Attackers can leverage this by supplying incorrect credentials in a Basic Authentication header, leading to the execution of actions as an administrator. This could result in data theft, malware distribution, or website redirection.Wordfence has reported blocking over 7,400 attacks in the past 24 hours, indicating active exploitation. Users are strongly advised to update to version 3.4.2 or disable the plugin entirely to mitigate the risk.Source: Bleeping Computer
Vulnerability Management
Critical vulnerability in Burst Statistics plugin allows admin takeover

(Credit: Bilal Ulker – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



