Burst Statistics Plugin Hack: Strangers Can Take Over Your Site
Hackers are actively exploiting a flaw in a WordPress plugin that over 100,000 sites use to track visitor numbers. Not "could exploit." Are exploiting, right now.
What's Happening With the Burst Statistics Plugin
The plugin in question is Burst Statistics, a popular free analytics tool for WordPress. Security researchers discovered a critical authentication bypass vulnerability — meaning an attacker can skip the login process entirely and gain admin-level access to your site without knowing your password.
Think of it like a lock on your front door that opens if you knock in a specific pattern. You don't need a key. You just need to know the pattern.
According to SC Media and RS Web Solutions, the flaw allows a complete admin takeover. That means whoever exploits it can install other plugins, create new admin accounts, redirect your visitors, or plant hidden code that steals data. SecNews confirmed that hackers are already actively taking advantage of the vulnerability in the wild, not just in lab conditions.
This is not a theoretical risk.
Who Is Affected
If your site has Burst Statistics installed, you need to act today. The plugin has a significant install base — which is exactly why attackers are targeting it. A widely-used plugin with a known flaw is a gift for anyone running automated attacks across thousands of WordPress sites.
Do you know every plugin installed on your client sites right now? Most agency owners don't, and that's the honest answer.
The vulnerability was disclosed and reported publicly in 2026, which means the window between "researchers found it" and "hackers weaponised it" was short. That's becoming normal.
What to Do Right Now
Three steps. Do them in this order.
1. Check if Burst Statistics is installed. Log into your WordPress dashboard, go to Plugins, and search for "Burst Statistics." If it's there, note the version number.
2. Update it immediately. A patched version has been released. Go to Plugins → Updates and apply it. If you manage multiple client sites, check every single one — not just your own.
3. Check for suspicious admin accounts. Go to Users → All Users and filter by Administrator. If you see any account you don't recognise, delete it immediately and change all your admin passwords. An attacker may have already created a back door account before the patch was applied.
If you're not sure whether your site was already compromised before you updated, it's worth asking a developer to scan for recently added or modified files. A free tool like Wordfence can help flag anything unusual.
Can Uptrue Detect This?
Uptrue won't catch the moment someone exploits this specific flaw — no uptime monitor can read your plugin list. But here's where it does help: if an attacker compromises your site and uses it to redirect traffic, inject spam pages, or take it offline during an attack, Uptrue will catch the resulting downtime or degraded response and alert you immediately.
That's the difference between finding out your site was hacked because a client rang you in a panic, and finding out within minutes because your monitor flagged something odd at 3am.
Right now, Uptrue is monitoring 439 sites and tracking 88 currently showing degraded performance. Attacks often cause exactly this — slow response before full collapse. The monitoring catches the symptom even when the cause isn't obvious.
Worth having that safety net in place before something goes wrong, not after.
FAQ
What is the Burst Statistics plugin? Burst Statistics is a free WordPress plugin used to track website visitor data and analytics. It's installed on a large number of WordPress sites globally.
What does the Burst Statistics vulnerability actually let hackers do? The flaw allows an attacker to bypass the login process entirely and gain full administrator access to your WordPress site — without needing your username or password.
How do I know if my site was already hacked before I updated? Go to Users → All Users in your WordPress dashboard and check for any admin accounts you don't recognise. Also look for any plugins you didn't install. A security scanner like Wordfence can run a deeper check.
Is there a patched version of Burst Statistics available? Yes. A fix has been released. Update the plugin immediately through your WordPress dashboard under Plugins → Updates.
Can uptime monitoring help with plugin vulnerabilities? Not directly — but if an attack causes your site to slow down, go offline, or behave abnormally, an uptime monitor like Uptrue will alert you fast. That early warning can limit the damage significantly.