CVE-2026-8181 is a CVSS 9.5 authentication bypass in the Burst Statistics WordPress plugin (versions 3.4.0 and 3.4.1) that allows unauthenticated attackers to create WordPress administrator accounts and take full control of affected sites. Active mass exploitation is confirmed. Approximately 115,000 of 200,000 active installs remain unpatched as of May 14, 2026. The patch is available in version 3.4.2.