A WordPress privacy plugin opened 115,000 sites to takeover

News
Written By Joel Folgner

← All posts

A WordPress plugin called Burst Statistics, installed on about 200,000 sites and marketed as a privacy-friendly alternative to Google Analytics, has a critical authentication-bypass flaw that lets attackers walk in as the site administrator. Wordfence discovered it on May 8th. A patch shipped May 12. As of about a week later, only roughly 85,000 sites had updated. The other 115,000 are wide open, and active exploitation has already started.

If you run a WordPress site, this is a stop-what-you're-doing-and-check kind of post.

What the plugin does, and what broke

Burst Statistics is one of the more reasonable choices in the WordPress analytics space. It tracks visitor data on your own server instead of sending it to Google. It doesn't require a cookie banner under most reasonable readings of GDPR, and is generally the kind of tool a small business installs when they want to know how many people read their blog.

The flaw, tracked as CVE-2026-8181, scores 9.8 out of 10 on the standard severity scale (the maximum is 10). In versions 3.4.0 and 3.4.1.x, the plugin's integration with another tool (MainWP) had a broken check. The check was supposed to verify that whoever was making a request was actually a logged-in WordPress administrator. It didn't. An unauthenticated attacker who knows an administrator username (which is usually trivial to figure out, since WordPress exposes admin usernames by default) could send a request with any password at all, and the plugin would treat them as that admin. From there: read user data, create new admin accounts, install backdoors. Full site compromise.

The numbers

Wordfence's PRISM platform (their AI-assisted vulnerability research tool) identified the flaw on May 8th. The plugin team shipped a fix four days later, on May 12th. Wordfence customers on paid tiers got firewall protection the same day; free-tier users get it June 7th.

In the first 24 hours after disclosure, Wordfence's tracker blocked more than 7,400 exploit attempts. Active exploitation is happening right now, against any unpatched site an attacker can find.

By WordPress.org's own download counter, version 3.4.2 has been pulled about 85,000 times since release. That's roughly 42% of the installed base. The other 115,000 sites are either still running a vulnerable version or have decided to remove the plugin entirely.

What it means

Two things stand out.

First, the speed. Fifteen days from "vulnerability introduced" to "vulnerability discovered." Four more days to a patch. Hours to active exploitation. That whole cycle used to take months. AI-assisted research is now part of the security stack on the defensive side (Wordfence's PRISM platform is what found this one), but attackers are working with the same tools. The old advice of "update your plugins once a month" is too slow for anything internet-facing.

Second, the choice itself was fine. Burst Statistics is a tool you install precisely because you care about your visitors' privacy. You made a thoughtful call to not feed visitor data to Google. That same call is now the door an attacker walks through to take over your whole site. There's no moral lesson in this; every piece of software, however well-intentioned, eventually has a bug. Picking the privacy respecting option is still the right direction. The cost of admission is the same as every other piece of internet-facing software: patch faster than the attackers can move. Security has always been an arms race.

What to do

  • Log in to your WordPress admin and check your installed plugins. If Burst Statistics is in the list and it's not on version 3.4.2 or later, update it now. If you don't use it, remove it completely.

  • While you're in there, click "Updates" in the left sidebar. Apply every available plugin and theme update. The Burst Statistics one is just the one making news this week; the average WordPress site is running multiple plugins that have patched something in the last month.

  • Turn on automatic updates for plugins if you haven't. WordPress has supported this natively since version 5.5. The setting is per-plugin, on the Plugins page, in the "Automatic Updates" column. For most small business sites, the upside (zero-day windows close faster) outweighs the downside (a plugin update occasionally breaks something).

  • Audit your admin accounts. A common post-takeover move is to leave a new admin account behind so the attacker can return after you patch. Check the Users page for accounts you don't recognize.

  • If someone else maintains your site, ask them when they last applied updates. "We have a guy" is not an answer to this question.

What MFA doesn't cover

I want to point out something that most security professionals won’t say out loud. MFA on your WordPress admin login would not have helped here. The flaw bypasses the login entirely. There's no password being checked, no MFA prompt being triggered; the plugin just handed an attacker administrator privileges when they asked.

Keep MFA on regardless. It still stops the much more common credential-reuse attack against the standard login form. The lesson here is that MFA and patching are separate jobs. You need to do both.

If you've found this plugin on a site you manage, or hit something similar lately, I'd be glad to hear about it. You can reach me at joel@freshfromcache.com.

Joel

Sources

  • Wordfence CVE-2026-8181 disclosure (primary):Wordfence Threat Intelligence.

  • Bleeping Computer:Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin (May 13, 2026). Link.

  • CVE record: CVE-2026-8181 (CVSS 9.8). Assigner: Wordfence. Published May 14, 2026.

← All posts

Joel Folgner https://www.calmbit.net
Previous

Patching is the new password
Next

CISA contractor posted admin keys to public GitHub