Burst Statistics Vulnerability Could Let a Stranger Into Your WordPress Site
A stranger could walk straight past your WordPress login — no password needed. That's the short version of what Wordfence disclosed on 8 May 2026, and it affects more than 200,000 sites running the Burst Statistics plugin.
What Happened With the Burst Statistics Plugin?
On 8 May 2026, Wordfence's autonomous threat research platform, PRISM, discovered a critical Authentication Bypass vulnerability in Burst Statistics. Authentication bypass means exactly what it sounds like: an attacker can skip the login step entirely and act as if they already have an account on your site.
Burst Statistics is a privacy-friendly analytics plugin — it shows you visitor stats without relying on Google Analytics. Popular with site owners who want GDPR-friendly tracking. Over 200,000 active installs according to Wordfence's disclosure.
The severity here is rated critical. Not "keep an eye on it" critical. Actually critical.
Who Is Affected Right Now?
If your WordPress site is running the Burst Statistics plugin, you're potentially affected. Do you know off the top of your head which version you're on? Most people don't — that's exactly the problem.
Wordfence classified this as an Authentication Bypass vulnerability, which means an unauthenticated attacker — someone with no account on your site whatsoever — could potentially gain access to protected areas. We could not confirm from the source material exactly which plugin version first introduced the flaw, or the precise upper version boundary. Check the official Wordfence disclosure for the exact version details before doing anything else.
What's Still Unclear
Honestly, the source material is a bit thin on specifics. A few things we can't confirm from what's been published so far:
- The exact version number where the patch lands
- Whether exploits have been seen in the wild yet
- Whether Burst Statistics has issued a public statement beyond the patch itself
No official documentation confirms active exploitation as of 14 May 2026. That could change quickly. Authentication bypass flaws tend to attract attention fast once they're public.
What to Do Right Now
Three steps. Do them today, not next week.
1. Check if you're running Burst Statistics. Log into your WordPress dashboard, go to Plugins, and search for Burst Statistics. If it's there, note the version number.
2. Update it immediately. Go to Dashboard → Updates and apply any available update for Burst Statistics. If there's no update showing, check the plugin's page on WordPress.org directly for the latest version.
3. If you manage client sites, check those too. This is the one your client will call you about at 9am if you don't catch it first. Proactive beats reactive every time.
If you're not sure whether your site went down or behaved strangely around the disclosure date, that's worth investigating. Uptrue's tracker gives you a real-time view of your site's uptime and response times — useful for spotting anything odd in the days after a vulnerability like this goes public.
Can Uptrue Detect This?
Not directly — Uptrue doesn't scan for plugin vulnerabilities. But here's the thing: a compromised site often shows symptoms. Slow response times, unexpected downtime, SSL certificate issues. These are the signals that something has gone wrong. Uptrue monitors WordPress sites for exactly those kinds of red flags, so you're not finding out from a client's angry email.
Think of it as the smoke alarm, not the fire extinguisher. Both matter.
FAQ
What is the Burst Statistics vulnerability? The Burst Statistics vulnerability, disclosed on 8 May 2026, is a critical Authentication Bypass flaw that could allow an attacker with no account on your site to gain unauthorised access to protected areas of your WordPress installation.
How many WordPress sites are affected by the Burst Statistics flaw? According to Wordfence, more than 200,000 WordPress sites have Burst Statistics installed and are potentially at risk from this vulnerability.
How do I fix the Burst Statistics vulnerability? Log into your WordPress dashboard, navigate to Dashboard → Updates, and apply the latest available update for the Burst Statistics plugin as soon as possible.
What is an authentication bypass vulnerability in plain English? An authentication bypass vulnerability means an attacker can skip the login process entirely and access parts of your site they should never be able to reach — without ever needing a username or password.
Has Burst Statistics been exploited in the wild? As of 14 May 2026, no official source has confirmed active exploitation of this vulnerability in the wild, but critical authentication bypass flaws attract attacker attention quickly once they're publicly disclosed.