Hundreds of thousands of websites are potentially exposed to attacks exploiting two vulnerabilities in the Kirki and Burst Statistics WordPress plugins, Defiant warns.
Kirki provides website and freeform page creation, and WordPress customizer enhancements. The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug.
Tracked as CVE-2026-8206 (CVSS score of 9.8), the issue impacted the plugin’s password reset flow, which allowed attackers to provide a username and an arbitrary email address and have a password reset key sent to that address.
“This means an unauthenticated attacker can send a request specifying a high-privileged username together with an attacker-controlled email address and receive a valid password reset link for the targeted account,” Defiant explains.
The attacker can then use the reset link to take control of the targeted account. By resetting the password for an administrative account, the attacker can take over the entire website.
A lightweight plugin for WordPress, Burst Statistics provides users with an intuitive analytics dashboard with insights into site traffic, visitor sources, page performance, and more.
Versions 3.4.0 to 3.4.1.1 of the plugin were affected by an authentication bypass vulnerability that allowed unauthenticated attackers to elevate their privileges to administrator and take control of a vulnerable site.
The bug existed because the function responsible for validating application passwords from the Authorization header contained an incorrect return-value, allowing attackers to send a REST API request and impersonate an administrator for the duration of the request.
“The plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account,” Defiant notes.
The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk.
Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.
Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.
Related: Organizations Warned of Exploited Linux Kernel Vulnerability
Related: ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds
Related: Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at Risk
Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
