Hackers are exploiting CVE-2026-8181 in the Burst Statistics WordPress plugin to bypass authentication and gain admin-level access on affected sites. Wordfence says the flaw has already been targeted at scale, with more than 7,400 blocked attacks and many sites still exposed if they have not upgraded to version 3.4.2. #BurstStatistics #CVE-2026-8181 #Wordfence #WordPress
Keypoints
- Burst Statistics is a WordPress analytics plugin used on 200,000 sites.
- CVE-2026-8181 lets unauthenticated attackers impersonate admin users during REST API requests.
- The flaw can also enable the creation of rogue administrator accounts.
- The bug was introduced in version 3.4.0 and affected version 3.4.1 as well.
- Users should upgrade to version 3.4.2 or disable the plugin immediately.