The popular plugin with 200 thousand installations suddenly turned into a weak point in the protection of the site.
WordPress sites are once again hit by a bug in a popular expansion. This time, the attackers targeted Burst Statistics, an analytics plug-in, which uses about 200 thousand resources. Vulnerability allows you to get administrator rights without logging in to an account, which means that site owners risk losing control of their projects.
The problem was received by the CVE-2026-8181. According to Wordfence, the vulnerability appeared on April 23, along with the version of Burst Statistics 3.4.0 and remained in version 3.4.1. Experts found an error on May 8, and after the publication of information about the problem, active attacks began.
The failure is associated with improper processing of the result of the function wp_authenticate_application_password(). The code mistakenly took some WordPress responses for successful verification, after which it assigned the current user the name transferred to the attacker. As a result, the attacker could temporarily impersonate a well-known administrator during the REST API query, even indicating the wrong password.
Although for a successful attack you need to know the name of the administrator - such data are often found in publications, comments or open API requests, and if necessary, are selected as much. After bypassing the audit, the attacker can create a new account with administrator rights, access closed data, implement backdoors, redirect visitors to dangerous pages or distribute malicious code through a hacked site.
Wordfence reports that over the past day blocked more than 7400 attempts to operate CVE-2026-81811. The scale of the attacks shows that the problem has already moved from theory to practice.
The developers released the corrected version of Burst Statistics 3.4.2 on May 12, 2026. Website owners are advised to urgently update the extension or temporarily disable it. According to WordPress.org statistics, after the release of version 3.4.2, the plugin was downloaded about 85 thousand times. Even if all downloads were on a secure release, about 115 thousand sites can still remain vulnerable to capture administrative access.
WordPress sites are once again hit by a bug in a popular expansion. This time, the attackers targeted Burst Statistics, an analytics plug-in, which uses about 200 thousand resources. Vulnerability allows you to get administrator rights without logging in to an account, which means that site owners risk losing control of their projects.
The problem was received by the CVE-2026-8181. According to Wordfence, the vulnerability appeared on April 23, along with the version of Burst Statistics 3.4.0 and remained in version 3.4.1. Experts found an error on May 8, and after the publication of information about the problem, active attacks began.
The failure is associated with improper processing of the result of the function wp_authenticate_application_password(). The code mistakenly took some WordPress responses for successful verification, after which it assigned the current user the name transferred to the attacker. As a result, the attacker could temporarily impersonate a well-known administrator during the REST API query, even indicating the wrong password.
Although for a successful attack you need to know the name of the administrator - such data are often found in publications, comments or open API requests, and if necessary, are selected as much. After bypassing the audit, the attacker can create a new account with administrator rights, access closed data, implement backdoors, redirect visitors to dangerous pages or distribute malicious code through a hacked site.
Wordfence reports that over the past day blocked more than 7400 attempts to operate CVE-2026-81811. The scale of the attacks shows that the problem has already moved from theory to practice.
The developers released the corrected version of Burst Statistics 3.4.2 on May 12, 2026. Website owners are advised to urgently update the extension or temporarily disable it. According to WordPress.org statistics, after the release of version 3.4.2, the plugin was downloaded about 85 thousand times. Even if all downloads were on a secure release, about 115 thousand sites can still remain vulnerable to capture administrative access.
