Burst Statistics Plugin Vulnerability: Admin Access Risk

A serious vulnerability in the Burst Statistics WordPress plugin is currently being targeted by attackers, putting website owners at risk of losing full administrative control of their sites. If you use this plugin for tracking visitor statistics, you need to act now.

What is happening?

According to BleepingComputer, hackers are actively exploiting a critical authentication bypass vulnerability, tracked as CVE-2026-8181, in the Burst Statistics plugin. The flaw allows attackers to bypass the login process entirely and gain admin-level access to a WordPress site, without needing a valid password.

The vulnerability works because the plugin misreads the result of a WordPress authentication function. When the function returns an error or an empty result, the plugin incorrectly treats this as a successful login. This means an attacker can supply any incorrect password and still be granted administrator access during a REST API request. In the worst case, according to BleepingComputer, an attacker could use this to create a brand new administrator account on your site with no prior access at all.

How widespread is the problem?

Burst Statistics is installed on around 200,000 WordPress sites. According to BleepingComputer, roughly 115,000 of those sites are still exposed to this vulnerability. Wordfence, the security firm that identified the flaw on 8 May 2026, reports having blocked over 7,400 attacks targeting this vulnerability in a single 24-hour period. That figure gives a clear indication of how actively this is being targeted.

What can attackers do with admin access?

Admin-level access to your WordPress site is essentially the keys to the building. An attacker with this level of control could read private data, install malicious code, redirect your visitors to harmful websites, or lock you out of your own site entirely. For a small business, this kind of breach can damage your reputation and potentially put your customers' data at risk.

What should you do right now?

The fix is straightforward. According to BleepingComputer, you should upgrade the Burst Statistics plugin to version 3.4.2 or later as soon as possible. If you are unable to update immediately, disabling the plugin is the safer option until you can.

You can check which plugins are installed on your site by logging into your WordPress dashboard and navigating to the Plugins section. If you are unsure how to do this, ask your web developer or hosting provider for help.

For broader guidance on keeping your website secure, see our security checklist for small businesses and our guide on vulnerable WordPress plugins.

What does this mean for your website?

If you use Burst Statistics to track your website visitors, your site may currently be at risk of being taken over by an unauthorised third party. Updating the plugin to version 3.4.2 closes the vulnerability and is the single most important step you can take today. Keeping all your plugins up to date is one of the simplest and most effective ways to protect your business online.