On May 13th, 2026, we publicly disclosed a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with 200,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator and achieve complete site takeover. The vendor released the fully patched version on May 13th, 2026. We disclosed this vulnerability in the Wordfence Intelligence vulnerability database and in a blog post on the same day. Our records indicate that attackers started exploiting the issue the same day, on May 13th, 2026. The Wordfence Firewall has already blocked over 112,800 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 7, 2026.
Considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Burst Statistics, version 3.4.2 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Vulnerability Details
To exploit the vulnerability, an attacker only needs to know a valid administrator username. By sending a REST API request with the X-BurstMainWP: 1 header and arbitrary Basic Authentication credentials, the plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account.
In our blog post linked below, we detailed the vulnerability:
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability. It appears that threat actors are attempting to create new administrator accounts on affected sites by sending crafted REST API requests with forged Basic Authentication credentials.
Example attack request
POST /wp-json/wp/v2/users HTTP/1.1
X-Burstmainwp: 1
Host: [redacted]
Content-Type: application/json
{"username":"artba999x","email":"artba999x@email.ee","password":"[redacted]","roles":["administrator"]}
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
Total Number of Exploits Blocked
The Wordfence Firewall has blocked over 112,800 exploit attempts since the vulnerability was publicly disclosed.
According to our data, attackers started targeting websites the same day the vulnerability was disclosed, on May 13th, 2026. We also detected and blocked a large number of exploit attempts from May 15th to 21st.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the Burst Statistics plugin authentication bypass vulnerability:
- 116.212.139.132
- Over 8,300 blocked requests.
- 210.247.204.106
- Over 6,600 blocked requests.
- 116.212.132.83
- Over 4,400 blocked requests.
- 159.65.141.85
- Over 4,300 blocked requests.
- 118.67.205.30
- Over 4,000 blocked requests.
- 188.166.247.192
- Over 2,800 blocked requests.
- 84.201.6.54
- Over 2,600 blocked requests.
- 45.156.87.207
- Over 2,000 blocked requests.
- 103.132.9.132
- Over 1,900 blocked requests.
- 118.67.205.88
- Over 1,900 blocked requests.
Indicators of Compromise
The attackers are attempting to create new administrator accounts on affected sites. It is recommended to review the list of WordPress users on your site and remove any unknown administrator accounts, especially ones created on or after May 13th, 2026.
Additionally, we recommend reviewing log files for any requests containing the X-BurstMainWP: 1 header or for any requests to the /wp-json/wp/v2/users endpoint originating from the following IP addresses:
- 116.212.139.132
- 210.247.204.106
- 116.212.132.83
- 159.65.141.85
- 118.67.205.30
- 188.166.247.192
- 84.201.6.54
- 45.156.87.207
- 103.132.9.132
- 118.67.205.88
Conclusion
In today’s article, we covered the attack data for a critical-severity Authentication Bypass vulnerability in the Burst Statistics plugin that allows unauthenticated threat actors, with knowledge of an administrator username, to impersonate that administrator and achieve complete site takeover. Our threat intelligence indicates that attackers started actively targeting this vulnerability the same day it was disclosed, on May 13th, 2026, with mass exploitation occurring between May 15th and 21st, 2026. The Wordfence firewall has already blocked over 112,800 exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 8, 2026. Sites using the free version of Wordfence will receive the same protection 30 days later on June 7, 2026.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 3.4.2 in order to maintain normal functionality. If you have friends or colleagues using Burst Statistics, be sure to forward this advisory to them, as thousands of sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin appeared first on Wordfence.
