Critical WordPress Plugin Flaw Allows Unauthorized Access to Websites

A critical authentication bypass (CVE-2026-8181, CVSS 9.8) was discovered in the Burst Statistics WordPress plugin (versions 3.4.0–3.4.1.1), allowing attackers who know a valid administrator username to craft REST API requests that impersonate administrators and potentially create persistent admin accounts; the issue affects roughly 200,000 sites, was quickly patched in version 3.4.2, and Wordfence has deployed firewall rules to protect users.