A successful attack gives an adversary the same administrative access as your website team — they can steal customer data, inject malware that infects your visitors' devices, redirect your site to fraudulent pages, or destroy content entirely. For businesses using their WordPress site for e-commerce, lead generation, or customer engagement, this means potential data breach liability, customer trust damage, and direct revenue loss from site downtime or defacement. With active mass exploitation already confirmed at scale, unpatched sites are not facing a theoretical risk — they are facing an immediate, ongoing threat.
You Are Affected If
You run Burst Statistics WordPress plugin version 3.4.0 or 3.4.1 on any WordPress installation
The WordPress site is internet-facing (public or semi-public) — this vulnerability requires no authentication and no user interaction
You have not yet upgraded to Burst Statistics version 3.4.2
Your WAF or IPS does not have a rule blocking unauthenticated requests to Burst Statistics REST API endpoints
The WordPress installation was active between April 23, 2026 and the date of patching — any site in that window may have already been compromised and should be treated as potentially affected even after patching
Board Talking Points
A critical flaw in a widely-used website analytics plugin allows attackers to take full administrative control of affected WordPress sites with no login required, and attacks are happening right now at high volume.
Security teams should update all instances of the Burst Statistics plugin to version 3.4.2 immediately and audit for unauthorized administrator accounts — this should be completed within 24 hours.
Sites that remain unpatched face certain, ongoing exploitation attempts; a successful attack could result in customer data theft, site defacement, or malware delivery to site visitors, each carrying regulatory and reputational consequences.
PCI-DSS — if the affected WordPress site handles or routes payment card data, full admin takeover creates a direct path to cardholder data environment compromise
GDPR / applicable data protection law — WordPress sites collecting EU resident personal data (contact forms, user accounts, analytics) are subject to breach notification obligations if attacker access results in unauthorized data access or exfiltration
