If you received an email from me pointing you to this page, it is because your website appears to be running a vulnerable version of Burst Statistics (the WordPress plugin burst-statistics, a privacy-friendly analytics plugin). This page explains why that matters and how to fix it.

This notice concerns CVE-2026-8181, a critical, actively exploited flaw (CVSS 9.8) that lets an attacker take over your site as an administrator without logging in. It affects a narrow range of releases (versions 3.4.0, 3.4.1, and 3.4.1.1) and is fixed in 3.4.2. Versions before 3.4.0 were never affected. If you are running an affected version, update Burst Statistics to 3.4.2 or later as soon as possible. Because this flaw hands an attacker full control of the site and is being exploited at scale, you should also check for signs of unauthorized access (see If you were on an affected version below).

This is a plugin flaw, not a WordPress core flaw. A fully up-to-date WordPress does not protect you if the Burst Statistics plugin itself is on an affected version.

Is this message legitimate?

Yes. This is a good-faith, responsible-disclosure notice from an independent security researcher. I am not asking you for money, passwords, or access to your site, and I have not attempted to break into it, upload anything, or exploit anything.

All I did was look at publicly visible files that your website serves to every visitor (the same way your homepage is public) and note the version number that the Burst Statistics plugin publishes in its public readme.txt file. I specifically did not touch the vulnerable feature, and nothing about this check touches your data, your admin area, or any private part of your site.

If you would like to verify who I am, see the contact details at the bottom of this page and the About page.

Why this matters

Burst Statistics is a widely used, privacy-friendly analytics plugin (around 200,000 active installs). In version 3.4.0 it added an integration with the MainWP remote-management dashboard, and the code that authenticates those requests contains a mistake: it checks an incoming request’s application-password result incorrectly, so a request that carries no valid password can still be accepted.

The practical effect is that a remote attacker who simply knows the username of any administrator on your site can send one ordinary web request that the plugin accepts as that administrator, with no password and without logging in. That gives the attacker the full power of an administrator account: they can create new admin users, install a plugin or theme (a common way to plant a back door), change content, or read data.

The flaw was scored 9.8 out of 10 (critical severity). It was discovered by the Wordfence research team, and Wordfence reports it being actively exploited in the wild at scale, on the order of thousands of attack attempts per day, with public proof-of-concept code available. If my email cited this issue, it means the version your site reports falls within the affected range. I did not test whether your particular site is exploitable or already compromised, only that it reports an affected version.

The good news: updating to the fixed version closes the hole, and the update is straightforward.

How to check your version

You do not have to take my word for which version you are running.

From the public manifest (no login needed): open yourdomain.com/wp-content/plugins/burst-statistics/readme.txt in a browser. The Stable tag: line near the top is the version your Burst Statistics install reports, and this is the same public file I read.

From the WordPress admin area (if you have access):

  1. Log in to your WordPress dashboard (usually at yourdomain.com/wp-admin).
  2. Go to Plugins then Installed Plugins.
  3. Find Burst Statistics and note the version shown beneath its name.

If the version is 3.4.0, 3.4.1, or 3.4.1.1, you are on an affected version and should update. 3.4.2 and later are fixed, and versions before 3.4.0 were never affected.

How to upgrade

The safest path is to update through WordPress itself, and to back up first:

  1. Back up your site (files and database) before making changes. Most hosting providers offer one-click backups, or use a WordPress backup plugin.
  2. In the WordPress admin, go to Dashboard then Updates, or Plugins then Installed Plugins. If a Burst Statistics update is listed, install it from here.
  3. If no update appears, you can get the latest release directly from the plugin’s page on the WordPress.org directory, Burst Statistics, and update via Plugins then Add New Plugin then Upload Plugin.
  4. After updating, confirm the new version number (3.4.2 or later) using the steps above, and check that your site loads normally.

While you are in there, it is worth confirming that WordPress core and your other plugins are up to date, since the same principle applies to all of them.

If you were on an affected version

Because this flaw is being actively exploited to take over sites, a site that ran an affected version should not assume that simply updating is enough. The update removes the vulnerability, but it does not undo any access an attacker may already have gained. You (or your webmaster) should check for that on your own site:

  • Review your administrator accounts. In Users then All Users, filter by Administrator and remove any account you do not recognize. Attackers commonly add a new admin user to keep access.
  • Review recently installed or modified plugins and themes. Look for anything you did not install yourself, and for plugins with generic or unfamiliar names, a rogue plugin or theme is a common way to plant a back door.
  • Review application passwords. For each user (Users then the user’s Profile), check the Application Passwords section and revoke any entry you did not create.
  • Watch for other signs. Unexpected new content or pages, changes to admin email or site URL settings, or unfamiliar scheduled tasks are worth investigating.

If you find evidence of unauthorized access, treat the site as compromised: remove any rogue users, plugins, or themes, rotate your credentials (WordPress admin, database, and hosting panel), and consider restoring from a known-good backup taken before the intrusion. If your organization has an IT security team, loop them in.

I want to be clear: I have not checked your site for any of these indicators, and I do not know whether your site was affected. This list is here so you can check for yourself.

I do not have a webmaster / I am stuck

If you are not the person who maintains the site, please forward this page to whoever does (your web developer, agency, or hosting provider). They will recognize the steps above quickly.

If you are maintaining the site yourself and get stuck, I am happy to help point you in the right direction at no cost. Reach out using the contact details below.

Contact

Evan Harris, Security Researcher

I reach out about issues like this purely to help operators secure their sites. If you would prefer not to be contacted again, just let me know and I will honor that.

References

Official advisories and tracking

Vendor / plugin