Two popular WordPress plugins need attention today. Burst Statistics has a critical admin bypass, and Avada Builder has flaws that can expose sensitive data.
Burst Statistics can hand attackers your admin role
Wordfence found a critical login bypass in Burst Statistics on May 8. An attacker who knows a valid administrator username can act as that admin during a WordPress API request, which is WordPress’s built-in way to change site data.
That access can let the attacker create a new administrator account with no real login. This affects Burst Statistics sites that installed releases published on or after April 23, 2026, and before the vendor patch.
Update Burst Statistics to the patched version now, and review your administrator accounts for any user you did not create.
Avada Builder can expose files and database data
Wordfence reported two serious bugs in Avada Builder after a researcher submitted them through its bug bounty program. One flaw lets a logged-in low-level user read files on the server, and the other lets an outside attacker pull data from the database, including stored password data.
This affects sites that use Avada Builder, a plugin installed on about 1,000,000 WordPress sites, and that have not installed the vendor’s fixed release. The file-reading bug needs a subscriber account or higher, but the database bug does not need any login.
Update Avada Builder now, then change administrator passwords if you spot strange logins, new users, or signs that someone accessed your database.
End of article