Attackers are targeting a flaw in the Burst Statistics WordPress plugin that can let outsiders take over websites by creating administrator accounts. Defiant says versions 3.4.0 to 3.4.1.1 contain an authentication bypass in application-password validation for REST API requests, allowing unauthenticated attackers to impersonate an admin for a request and use admin-level functions. Users should update to version 3.4.2 or newer.
Why it matters: Sites using Burst Statistics may be vulnerable to full website takeover, so this is urgent for WordPress administrators and hosting providers. Check plugin versions now, update immediately, and review for unexpected administrator accounts or suspicious REST API activity.
Ionut Arghire
2026.06.03
100% relevant
The article establishes a distinct exploited-plugin event separate from the already tracked Kirki story by identifying active attacks against Burst Statistics, the affected versions, the attack method, and the patched version.
← Back to all stories