Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs

Summary

Two WordPress plugins—Kirki (versions 6.0.0–6.0.6) and Burst Statistics (versions 3.4.0–3.4.1.1)—are under active exploitation for privilege escalation and account takeover. Kirki's flaw allows unauthenticated attackers to reset admin passwords via an arbitrary email address, while Burst Statistics' authentication bypass lets attackers impersonate administrators through REST API requests. Defiant reports blocking thousands of attacks and warns that hundreds of thousands of websites remain at risk.

Full text

Hundreds of thousands of websites are potentially exposed to attacks exploiting two vulnerabilities in the Kirki and Burst Statistics WordPress plugins, Defiant warns. Kirki provides website and freeform page creation, and WordPress customizer enhancements. The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug. Tracked as CVE-2026-8206 (CVSS score of 9.8), the issue impacted the plugin’s password reset flow, which allowed attackers to provide a username and an arbitrary email address and have a password reset key sent to that address. “This means an unauthenticated attacker can send a request specifying a high-privileged username together with an attacker-controlled email address and receive a valid password reset link for the targeted account,” Defiant explains. The attacker can then use the reset link to take control of the targeted account. By resetting the password for an administrative account, the attacker can take over the entire website. A lightweight plugin for WordPress, Burst Statistics provides users with an intuitive analytics dashboard with insights into site traffic, visitor sources, page performance, and more.Advertisement. Scroll to continue reading. Versions 3.4.0 to 3.4.1.1 of the plugin were affected by an authentication bypass vulnerability that allowed unauthenticated attackers to elevate their privileges to administrator and take control of a vulnerable site. The bug existed because the function responsible for validating application passwords from the Authorization header contained an incorrect return-value, allowing attackers to send a REST API request and impersonate an administrator for the duration of the request. “The plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account,” Defiant notes. The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk. Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations. Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects. Related: Organizations Warned of Exploited Linux Kernel Vulnerability Related: ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds Related: Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical Vulnerability in HP VoIP Phones Enables Enterprise Network BreachesMeta AI Hands Over High-Profile Instagram Accounts to HackersSupply Chain Attack Hits 32 Red Hat NPM PackagesOracle’s First Monthly Patches Resolve 77 VulnerabilitiesWP Maps Pro Vulnerability Exploited to Take Over WordPress SitesDutch Police Dismantle Massive 17-Million-Device BotnetCritical Windows Netlogon Vulnerability in Attackers’ Crosshairs19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access Latest News Security of 100 AI Agents Tested and Ranked – What You Need to KnowHackers Target Global Stock Exchange in Espionage OperationIMA Diligence Services Data Breach Impacts 525,000 PeopleOrganizations Warned of Exploited Linux Kernel Vulnerability‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsMicrosoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure BacklashTrump Signs Executive Order That Invites Vetting of Top AI Models for National Security RisksTwo New Reports Offer Competing Explanations for Cybersecurity’s Growing Crisis Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-8206

Entities