Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.

Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.

The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.

According to Wordfence, which discovered CVE-2026-8181 on May 8, the flaw allows unauthenticated attackers to impersonate known admin users during REST API requests, and even create rogue admin accounts.

“This vulnerability allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” explains Wordfence.

Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

Other newsrooms on this story

Related reading

Avada Builder WordPress plugin flaws allow site credential theft

Other newsrooms on this story

Related reading

Avada Builder WordPress plugin flaws allow site credential theft

Funnel Builder WordPress plugin bug exploited to steal credit cards

Secure Your WordPress Website Now — 8.7 Million Attacks In 48 Hours

Critical cPanel exploited: 'Millions' of sites could be hit

Hackers are mass-exploiting the cPanel bug to gain control of thousands of…

Hackers are actively exploiting a bug in cPanel, used by millions of websites |…