A critical authentication bypass vulnerability (CVE-2026-8181, CVSS 9.8) in the WordPress Burst Statistics plugin allows unauthenticated attackers to perform administrative actions by exploiting flawed REST API authentication, enabling account takeover. The flaw affects versions from 3.4.0 through 3.4.1. Users must update to version 3.4.2 or disable the plugin immediately to mitigate active exploitation.
Vulnerability Management Critical vulnerability in Burst Statistics plugin allows admin takeover May 15, 2026 Share By SC Staff (Credit: Bilal Ulker – stock.adobe.com) According to Bleeping Computer, hackers are exploiting a critical authentication bypass vulnerability in the popular WordPress plugin Burst Statistics, potentially granting them administrative access to websites. The flaw, identified as CVE-2026-8181, was introduced in version 3.4.0 and persists in 3.4.1 of the Burst Statistics plugin, which is installed on approximately 200,000 WordPress sites. Discovered by Wordfence, the vulnerability allows unauthenticated attackers to impersonate existing administrators or create new admin accounts by exploiting how the plugin handles REST API requests and authentication. Attackers can leverage this by supplying incorrect credentials in a Basic Authentication header, leading to the execution of actions as an administrator. This could result in data theft, malware distribution, or website redirection. Wordfence has reported blocking over 7,400 attacks in the past 24 hours, indicating active exploitation. Users are strongly advised to update to version 3.4.2 or disable the plugin entirely to mitigate the risk. Source: Bleeping Computer SC Staff Related Vulnerability Management New Linux privilege escalation flaw ‘Fragnesia’ disclosed; PoC available Laura French May 15, 2026 Fragnesia is at least the fourth privilege escalation flaw affecting Linux systems disclosed in the last three weeks. Vulnerability Management Broadcom patches high-severity VMware Fusion flaw allowing local privilege escalation SC Staff May 14, 2026 The vulnerability is a time-of-check time-of-use (TOCTOU) flaw affecting operations performed by a SETUID binary. Patch/Configuration Management Fleet Device Management launches autonomous endpoint management platform SC Staff May 14, 2026 Fleet's new platform aims to shorten patch cycles from an industry average of 55 to 94 days to under two weeks, and in some cases, hours. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds