CVE-2026-8181 — an authentication bypass in the Burst Statistics WordPress plugin that leads to remote code execution. Public reporting puts the rating at 9.8 and notes active exploitation. Roughly 200,000 sites use the plugin.

The original public note (securityonline.info): 200K Sites at Risk: 9.8 CVSS RCE via Burst Statistics Auth Bypass Exploited in the Wild. For canonical CVE info, see CVE-2026-8181.

Why this one matters

Three properties that together make exploitation easy and consequential:

  • No authentication required. An attacker doesn't need a login, doesn't need to phish anyone, doesn't need a foothold.
  • Code execution. The endpoint doesn't just leak data — it runs attacker-supplied code on the server.
  • High install base + active exploitation reports. When the bug is public AND mass scanners are already firing, the window between "I should patch" and "someone else got there first" is short.

Triage if you use the plugin

  1. Update first, investigate second. The patched version is in the WordPress.org repo. If you can't update for some reason, deactivate and remove the plugin folder from disk — deactivation alone isn't enough on every server config.
  2. Check uploads for PHP. PHP execution out of wp-content/uploads/ is almost never legitimate: sh find wp-content/uploads -type f \( -name '*.php' -o -name '*.phtml' -o -name '*.php5' \) -mtime -90
  3. Check admin users created in the last 90 days. The SQL query in the million-sites writeup works here too.
  4. Look for wp_options rows you don't recognise — particularly option_name values containing suspicious base64-decoded payloads or freshly-created autoload=yes rows.
  5. Check your error log and access log for requests to the Burst plugin endpoints in the days before you patched.

If you find something

Don't try to "clean" by deleting the obvious file — successful intrusions usually drop persistence in multiple places. Cron jobs, modified core files, sleeper accounts. Open an engagement if you'd like a second pair of eyes on the diff.

Why we keep writing about plugins

Most WordPress compromises we see in 2026 don't come from WordPress core. They come from a plugin that someone installed years ago, never updated, and that gained an unauthenticated RCE long after it left active development. The path to a calmer site is: fewer plugins, all updated, with someone who notices when one of them gets a 9.8.