A critical security flaw in the Burst Statistics WordPress plugin left more than 200,000 business websites exposed to complete administrative takeover, with no login credentials required from the attacker. The vulnerability, discovered on 8 May 2026 by Wordfence’s autonomous research platform, scores 9.8 out of 10 on the CVSS severity scale — the highest rating short of a perfect score, reflecting a near-worst-case scenario for any business running WordPress.
Burst Statistics is a privacy-focused analytics plugin with a clean reputation and a substantial install base, and that reputation offered no protection here. The flaw was introduced into the code on 23 April 2026, discovered 15 days later, and a patch did not arrive until 19 days after that. In total, the vulnerability existed in production code for 34 days, leaving every site running an unpatched version exposed throughout that window.
A score of 9.8 matters because of what an authentication bypass vulnerability actually does. Authentication is the process by which a system confirms who you are before granting access. A bypass flaw removes that gate entirely, so an attacker needs no account, no password, no brute-force tool, and no prior knowledge of your site. They send a specific request and the site treats them as an authorised administrator, at which point they can install malicious code, create backdoor accounts, extract customer data, or redirect your visitors to a third-party site. The CVSS 9.8 rating reflects exactly that: unauthenticated access leading to full site compromise.
34 Days of Exposure, and Why Plugin Vulnerabilities Keep Appearing
Wordfence data shows the average WordPress site is attacked once every 34 minutes, which puts 34 days of exposure into perspective. A site running the vulnerable version of Burst Statistics was not waiting for a sophisticated, targeted attacker. Any automated scanner probing WordPress installations for known weaknesses would have flagged it.
Patchstack’s 2026 security report found that 91% of WordPress vulnerabilities originate in plugins, with researchers logging over 11,000 individual plugin vulnerabilities in 2025 alone — more than 30 new plugin vulnerabilities discovered every single day. Some are low-severity issues that require an attacker to already have an account on your site. Others, like this one, require nothing at all.
The volume alone makes a reactive approach to plugin security unworkable. Waiting for a vulnerability to make headlines before acting means accepting a window of exposure on every plugin you run, on every site you own, and for a business that processes orders, holds customer data, or depends on its website for revenue, that window translates directly into financial and reputational damage.
Plugin quality is also no reliable filter. Burst Statistics is actively maintained, widely trusted, and used by serious businesses. The flaw was not introduced through obvious negligence; it was a code change that passed through the development process and landed in a production release. Any plugin, regardless of its track record, can carry a critical flaw in its next update.
What the Burst Statistics Flaw Reveals About Plugin Estate Management
An update is frequently the delivery mechanism for a security patch, yet most business owners treat plugin updates as a routine maintenance task to run occasionally when time allows. The gap between a patch being released and a site owner applying it is the window an attacker can exploit, which is why that framing needs to change.
There is a second risk that receives less attention. When a vulnerability is patched and disclosed publicly, the details of the flaw become available to anyone. Attackers read the same security disclosures that defenders do, then scan for sites still running the old version. Public disclosure accelerates the threat against unpatched sites, so the period immediately after a patch release is often when attack volume increases.
A proactive plugin management policy addresses both risks: applying security updates within hours rather than days, auditing your plugin estate periodically to remove tools you no longer use (because inactive plugins still carry vulnerabilities), and knowing what is installed on your site and why, so you can assess the risk when a disclosure lands. None of that requires technical expertise on your part, but it does require someone accountable for it.
If you are running Burst Statistics, check your installed version now. The patched release was made available following the 8 May 2026 discovery, and any version prior to that patch remains vulnerable. If you are unsure which version you are running, or if you have not reviewed your plugin estate recently, that uncertainty is itself a risk you are carrying without knowing its size.
I work with business owners who want their WordPress site managed to a professional security standard, rather than left to accumulate risk between updates. If you want a plugin audit or a conversation about what a managed approach looks like for your site, get in touch with The WordPress Guy.
