Attackers are exploiting CVE-2026-8181, a critical authentication bypass in the Burst Statistics WordPress analytics plugin. Wordfence rates the flaw CVSS 9.8 and says versions 3.4.0 through 3.4.1.1 can let an unauthenticated attacker impersonate a known administrator during REST API requests by abusing incorrect return-value handling in wp_authenticate_application_password() [1].
Burst Statistics is installed on more than 200,000 WordPress sites, and version 3.4.2 was released on May 12, 2026. The WordPress plugin directory now lists 3.4.2 as current, with the changelog noting security hardening around MainWP proxy authentication, REST namespace handling, and auto-installer permissions [2]. BleepingComputer, citing Wordfence data, reported more than 7,400 blocked attacks targeting the vulnerability in a 24-hour period [3].
What Site Owners Should Check
The key risk is admin-level persistence, not just a one-time dashboard view. The vulnerable MainWP-related authentication path can cause WordPress to treat a request as an administrator session even when the supplied application password was not actually validated. From there, attackers may be able to create a rogue administrator, mint an application password, or use REST endpoints as if they were the site owner.
For a quick triage pass, check whether burst-statistics is installed and whether the active version is below 3.4.2. If it is, update immediately or temporarily disable the plugin. Then inspect WordPress users for new admin accounts, review Application Passwords on administrator users, and look for unexpected REST API activity around user creation or Burst/MainWP-related requests. This is especially important if the admin username is easy to guess or publicly visible through author pages, sitemaps, or old posts.
This case sits in the same practical risk area as other WordPress compromise paths Gridinsoft has covered: ClickFix WordPress attacks pushing Vidar, GoDaddy ManageWP phishing ads targeting WordPress admins, and older exploitation of the Ultimate Member WordPress plugin. The common pattern is that a single trusted site component becomes the doorway for phishing, malware delivery, or full site takeover. If an affected site was already abused, it can later become part of the broader problem Gridinsoft described in phishing with hacked sites.
Another recent plugin-risk case is Avada Builder CVE-2026-4782 and CVE-2026-4798, where file-read and SQL injection exposure depends on account access and WooCommerce history rather than a single obvious “is the plugin active?” check.
References
- Wordfence Threat Intelligence, Burst Statistics 3.4.0 – 3.4.1.1 Authentication Bypass to Admin Account Takeover, May 13, 2026. Advisory
- WordPress.org Plugin Directory, Burst Statistics version 3.4.2 and changelog, updated May 12, 2026. Plugin
- BleepingComputer, Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin, May 14, 2026. Coverage
For WooCommerce stores, plugin compromise can turn directly into payment theft, as seen in the FunnelKit checkout skimmer attacks.
Another exact-plugin admin takeover to check is WP Maps Pro CVE-2026-8732, which can create a new WordPress administrator account through a vulnerable map plugin support path.
Related WordPress takeover risk: Kirki CVE-2026-8206 uses a different password-reset route, so site owners should also audit administrator resets and plugin versions if Kirki is installed.
