Burst Statistics WordPress Plugin Authentication Bypass Actively Exploited for Mass Site Takeovers

Threat actors are mass-exploiting an authentication bypass vulnerability in the Burst Statistics WordPress analytics plugin, gaining unauthenticated administrator access to sites with the plugin installed. Wordfence’s threat intelligence team observed over 50,000 exploitation attempts within 24 hours of the vulnerability becoming known, with attackers using the administrative access to install backdoors, redirect site traffic to malware-delivering domains, and deface content. The plugin has over 100,000 active installations.

Vulnerability Detail

The authentication bypass exists in Burst Statistics’ REST API implementation, where a nonce verification check in the plugin’s settings update endpoint incorrectly validates against a publicly derivable nonce value. An unauthenticated attacker can submit a crafted POST request to the endpoint, pass the verification check, and modify plugin settings — including injecting arbitrary PHP code execution through the plugin’s custom script injection feature.

Once code execution is achieved, attackers have been observed taking the following post-exploitation actions:

• Installing the Worpress malicious plugin “wp-fast-cache” as a persistent backdoor
• Adding a rogue administrator account
• Inserting JavaScript redirects into WordPress option values
• Exfiltrating stored credentials and wp-config.php database credentials

The vulnerability was disclosed to the Burst Statistics developer team on 9 May. A patched version (2.7.1) was released on 12 May, but active exploitation was observed before many sites had applied the update.

Why WordPress Plugin Vulnerabilities Spread Rapidly

WordPress plugin vulnerabilities have become a high-volume target for automated mass exploitation because:

• Plugin vulnerabilities are publicly announced in CVE feeds and security scanner databases that attackers actively monitor
• WordPress sites often lag on plugin updates, creating exploitation windows measured in days rather than hours
• A single automated scanner can test millions of sites for a specific plugin presence, enabling mass targeting with minimal infrastructure

The Burst Statistics exploit requires only a single HTTP request, making it trivially automatable. The short gap between public disclosure and active exploitation — in this case under 72 hours — reflects the speed of the automated exploitation ecosystem.

Recommended Actions

• Update immediately: Update Burst Statistics to version 2.7.1 or later from the WordPress plugins dashboard.
• Check for compromise: Review WordPress administrator accounts for any accounts created after 9 May that you cannot recognise. Check wp-options for injected JavaScript in siteurl, home, or blogdescription values. Scan your WordPress installation with a malware scanner (Wordfence, Sucuri SiteCheck).
• Review REST API exposure: Ensure your WordPress installation applies proper authentication to all REST API endpoints. The Disable REST API plugin can restrict unauthenticated REST access if not required.
• Plugin update policy: Implement automatic updates for WordPress plugins with active security disclosures. A plugin with over 100,000 installs that has a known auth bypass should be patched within 24 hours, not at the next scheduled maintenance window.