A critical failure in the Burst Statistics plugin (CVE-2026-8181) is being exploited to get access with administrator privileges on WordPress, which turns sites that use this plugin into full-control take-over targets. Burst Statistics, promoted as a light and privacy-friendly alternative to Google Analytics and with a presence in around 200,000 facilities, introduced the vulnerable code in version 3.4.0 and it also remained in 3.4.1.
The technical origin of the problem lies in the way the plugin validates credentials through the internal WordPress function wp _ authenticate _ application _ password (). The Burst Statistics code interprets error responses (WP _ Error) and null values as if they were valid authentication and then runs wp _ set _ current _ user () with the user name provided by the attacker, which allows to supplant any known administrator during the execution of REST API requests.
This is not theory: the WordPress REST API includes sensitive endpoints such as / wp-json / wp / v2 / users and the basic authentication manipulated by the failure allows an attacker to supply any password and still pass through the indicated administrator. User names of administrators are usually presented in comments, entries or public requests, and when they are not available they can be guessed by gross force, which simplifies the attacker's work.
The practical consequences are severe: with privileges admin an attacker can create fraudulent administrative accounts, inject back doors into files and database, distribute malware, redirect traffic, insert malicious SEO content or steal confidential data. Wordfence researchers have confirmed malicious activity in nature and report massive blockages of exploitative attempts; their public follow-up documents the ongoing campaign and recommends updating or disabling the plugin immediately. More technical details and alerts are available in the Wordfence note: Wordfence - Burst Statistics and in his threat tracker: Wordfence Threat Intel.
The immediate and non-negotiable measure for affected managers is to update to the parched version 3.4.2 published on 12 May 2026 or, if it is not possible to update immediately, disable the plugin until applying the patch. The WordPress statistics accompanying the publication show tens of thousands of facilities that already downloaded the corrected version, but there are still many potentially exposed sites: the plugin page in the official repository documents the download information and versions: Burst Statistics - WordPress.org.
If there is the least suspicion that your site was compromised, act as if it was compromised: put the website in maintenance or at restricted access level, review the user list from the panel and through the database to detect new or unknown administrative accounts and address them, inspect files and directories for backdoors and recent changes, compare with clean backups and consider restoring from a verified previous copy. It is also crucial to rotate credentials from administrators and database passwords, regenerate WordPress keys and salts, and review PHP web access records and login to determine the engagement window.
To reduce future risk, apply hardening measures: limit access to the REST API when it is not necessary, implement authentication of two factors in high-privilege accounts, impose robust passwords and non-trivial user names, remove plugins and no-use issues, and deploy a firewall to the application level or host provider that can block massive operating attempts. The official WordPress hardening guide is a good starting point: Hardening WordPress - WordPress.org.
Finally, document the incident and, if you do not have sufficient internal experience, contact the hosting provider or an incident response team to conduct a forensic analysis, contain and eradicate any persistence. Update right now remains the most effective action to cut the ongoing campaign; postponing the update dramatically increases the likelihood of an intrusion that requires hours of cleaning and potential data loss or reputation.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...