If you use Burst Statistics, update it to 3.4.2 now. Attackers are already exploiting a critical flaw that can let them take over your site.

Burst Statistics flaw lets attackers become your admin

Wordfence says attackers started exploiting this bug on May 13, the same day the vendor released a fix. The issue is tracked as CVE-2026-8181, and Wordfence rates it critical. This is an authentication bypass flaw, which means an attacker can log in without the normal proof they should need. In this case, Wordfence says an attacker who knows an administrator username can impersonate that admin and take full control of the site.

This affects Burst Statistics versions 3.4.0 through 3.4.1.1. The fixed release is 3.4.2. If your site runs that plugin and you have not updated, you should treat the site as exposed right now. The risk is highest on sites where the administrator username is easy to guess, but every site on those versions needs attention because the exploit is already active in the wild.

Update Burst Statistics to version 3.4.2 immediately, then check your admin users for anything you do not recognize, reset administrator passwords, and remove the plugin if you cannot update it today.


End of article