Burst Statistics WordPress Plugin Flaw Enables Admin Takeover Under Active Exploitation
A critical authentication-bypass flaw in the Burst Statistics WordPress plugin is being actively exploited to seize administrator access on vulnerable sites. Tracked as CVE-2026-8181, the bug affects versions 3.4.0 through 3.4.1.1 and was introduced through improper return-value handling in the plugin’s is_mainwp_authenticated() logic for Basic Authentication headers. Security researchers reported that an unauthenticated attacker who knows an administrator username can send arbitrary credentials and be treated as that admin for the request, allowing account impersonation or creation of new administrator accounts on sites running the plugin, which is installed on roughly 200,000 WordPress websites.
Wordfence said it observed live attacks and blocked more than 7,400 exploitation attempts in a 24-hour period. Successful compromise could enable follow-on activity including data theft, malware deployment, and malicious site redirection. Defenders were urged to update immediately to Burst Statistics 3.4.2 or disable the plugin until patching is possible. Separate disclosures also highlighted another severe WordPress plugin issue, CVE-2026-6510 in InfusedWoo Pro <= 5.1.2, where missing authorization checks in the iwar_save_recipe() AJAX handler can let unauthenticated attackers craft automation-based authentication bypass leading to administrator-level privilege escalation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Burst Statistics users advised to update to version 3.4.2
Defenders were advised to patch Burst Statistics to version 3.4.2 or disable the plugin if immediate patching was not possible. The update addressed the critical authentication bypass affecting roughly 200,000 WordPress sites.
Active exploitation of Burst Statistics vulnerability observed
Wordfence reported active exploitation of CVE-2026-8181 against Burst Statistics sites and said it blocked more than 7,400 attack attempts within a 24-hour period. Successful attacks could enable admin account creation, data theft, malware delivery, or site redirection.
CVE-2026-6510 assigned for InfusedWoo Pro privilege-escalation flaw
A new CVE, CVE-2026-6510, was assigned on 2026-05-14 for a critical InfusedWoo Pro vulnerability affecting versions through 5.1.2. The issue allows unauthenticated attackers to create a malicious automation recipe that can lead to administrator-level account takeover.
Wordfence receives and documents CVE-2026-8181 report
Wordfence received the Burst Statistics authentication bypass vulnerability report on 2026-05-14 and documented that incorrect handling of Basic Authentication could let unauthenticated attackers impersonate an administrator during a request.
Burst Statistics flaw introduced in plugin version 3.4.0
The authentication bypass vulnerability later tracked as CVE-2026-8181 was introduced in Burst Statistics version 3.4.0. The flaw affected subsequent releases including 3.4.1 and 3.4.1.1.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Critical vulnerability in Burst Statistics plugin allows admin takeover | brief | SC Media
scworld.com
Open sourceCVE-2026-6510 - InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'
cvefeed.io
Open sourceCVE-2026-8181 - Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of UpdraftPlus Auth Bypass Enables WordPress Site Takeover
A critical authentication bypass in the **UpdraftPlus: WP Backup & Migration** WordPress plugin, tracked as `CVE-2026-10795`, is being actively exploited against sites running versions up to and including `1.26.4`. The flaw affects a plugin installed on more than three million WordPress sites and stems from insufficient validation in UpdraftCentral remote procedure call handling, including signature-verification weaknesses and unchecked decryption return values that can collapse to a predictable all-zero key. Wordfence reported blocking **4,987** exploitation attempts in a 24-hour period. Successful exploitation lets unauthenticated attackers impersonate the connected administrator and issue arbitrary RPC actions, including uploading and auto-activating a malicious plugin for **remote code execution** and full site compromise. The vulnerability has been classified under `CWE-347`, with a `CVSS v3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The issue was reportedly discovered by researcher **vtim**, and the vendor released a patch that adds stricter return-value validation; administrators are being urged to update immediately.
Jun 18, 2026
Critical WordPress Plugin Vulnerabilities Enable Account Takeover and Privilege Escalation
Multiple high-severity vulnerabilities were disclosed across popular **WordPress plugins**, creating pathways to account takeover, privilege escalation, and sensitive data exposure. The most severe issue, **CVE-2025-15521** in *Academy LMS* (<= `3.5.0`), allows **unauthenticated administrator account takeover** because the plugin’s password update flow relies on a **publicly exposed WordPress nonce** as authorization rather than validating user identity; *Wordfence* reported observing exploitation attempts in the wild and blocking dozens of attacks in a 24-hour period. Additional disclosures affect other plugins with different exploitation prerequisites and impacts. **CVE-2026-0726** in *Nexter Extension – Site Enhancements Toolkit* (<= `4.4.6`) is an **unauthenticated PHP object injection** via `nxt_unserialize_replace`, but it requires a usable **POP chain** from another installed plugin/theme to reach file deletion, data theft, or code execution. **CVE-2025-15347** in *Creator LMS* (<= `1.1.12`) enables **authenticated (Contributor+)** attackers to update arbitrary WordPress options due to a missing capability check, potentially leading to privilege escalation or site compromise. **CVE-2025-14977** in *Dokan* (<= `4.2.4`) is an **IDOR** in the `/wp-json/dokan/v1/settings` REST endpoint that lets **authenticated (Customer+)** users read/modify other vendors’ settings, including changing PayPal payout emails and accessing bank/payment details, enabling fraud and sensitive information disclosure.
Mar 21, 2026
Critical WP Maps Pro Flaw Lets Attackers Create WordPress Admin Accounts
A critical vulnerability in the **WP Maps Pro** WordPress plugin is being actively exploited to let unauthenticated attackers create administrator accounts and fully take over affected websites. The flaw, tracked as **`CVE-2026-8732`** and rated **CVSS 9.8**, affects versions through **`6.1.0`** and was discovered by Wordfence through its bug bounty program. Researchers said the issue stems from improper privilege validation in the plugin’s temporary support-access feature, where the **`wpgmp_temp_access_ajax_callback()`** endpoint was exposed to unauthenticated users and protected only by a publicly accessible nonce. Successful exploitation allows an attacker to trigger backend admin account creation, obtain a secret or magic login URL, and sign in without a password. Wordfence reported blocking **2,514 attacks in 24 hours**, indicating rapid automated exploitation in the wild, and said roughly **15,000 WordPress sites** are affected. The vendor has released a fix in **WP Maps Pro `6.1.1`** by adding a capability check that restricts access to users with **`manage_options`**, while Wordfence said firewall protection was issued to premium customers on May 18 and scheduled for free users on June 17.
Jun 4, 2026