WordPress websites have once again fallen under siege due to a critical flaw in a popular extension. On this occasion, adversaries have targeted Burst Statistics—an analytics plugin deployed across approximately 200,000 web resources. The vulnerability facilitates the acquisition of administrative privileges without prior authentication, meaning site owners face the imminent risk of forfeiting control over their digital projects.
The flaw has been designated as CVE-2026-8181. According to intelligence from Wordfence, the vulnerability was introduced on April 23 with the release of Burst Statistics version 3.4.0 and persisted in version 3.4.1. Security specialists unearthed the defect on May 8, and aggressive exploitation commenced almost immediately following the public disclosure of the telemetry.
The systemic failure stems from the improper handling of results returned by the wp_authenticate_application_password() function. The application logic erroneously interpreted certain WordPress responses as successful verifications, subsequently assigning current user session attributes to the identity supplied by the attacker. Consequently, an adversary could transiently impersonate a known administrator during a REST API request, even when utilizing an invalid password.
While successful exploitation requires knowledge of an administrator’s username, such data is frequently exposed within publications, comment threads, or public API queries, and can otherwise be harvested through brute-force enumeration. Upon bypassing authentication, an interloper can establish a new administrative account, access sequestered data, embed a persistent backdoor, redirect traffic to malicious destinations, or disseminate malware via the compromised platform.
Wordfence reports that it neutralized over 7,400 exploitation attempts targeting CVE-2026-8181 within a singular 24-hour window. The magnitude of these assaults demonstrates that the threat has rapidly transitioned from a theoretical proposition into an active campaign.
The developers deployed a remediated version, Burst Statistics 3.4.2, on May 12, 2026. Website administrators are strongly urged to expedite the installation of this update or temporarily deactivate the extension. According to statistics from WordPress.org, the plugin has been downloaded approximately 85,000 times since the release of version 3.4.2. Even assuming all subsequent downloads represent the secure patch, an estimated 115,000 sites potentially remain susceptible to administrative hijacking.
