303/69 Friday, June 5, 2026
Researchers from Defiant (Wordfence) have warned that threat actors are actively exploiting vulnerabilities in the WordPress plugins Kirki and Burst Statistics to escalate privileges and take control of vulnerable websites. The first flaw, tracked as CVE-2026-8206 (CVSS 9.8), affects Kirki versions 6.0.0 through 6.0.6. It is a privilege escalation and account takeover vulnerability within the password reset process, allowing unauthenticated attackers to submit password reset requests using a target username while specifying an email address under the attacker’s control, thereby obtaining password reset links for victim accounts.
A second vulnerability affects Burst Statistics versions 3.4.0 through 3.4.1.1. This Authentication Bypass flaw allows unauthenticated attackers to elevate privileges to administrator level and take over vulnerable websites. The issue stems from improper handling of return values during the validation of Application Passwords, enabling attackers to access administrator-level functions, including creating new administrator accounts and gaining full control of affected WordPress sites.
Defiant reported blocking a significant number of exploitation attempts targeting both vulnerabilities and warned that a large number of websites may still be exposed. Kirki is installed on more than 500,000 websites, with an estimated 150,000 sites still running vulnerable versions. Meanwhile, Burst Statistics is installed on over 200,000 websites. Website administrators are strongly advised to update to Kirki version 6.0.7 or later and Burst Statistics version 3.4.2 or later as soon as possible. Additionally, administrators should review recently created administrator accounts and investigate unusual password reset activity to detect potential compromise and prevent website takeover.
Source https://www.securityweek.com/kirki-burst-statistics-wordpress-plugin-flaws-in-attackers-crosshairs/