CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →
Two unauthenticated flaws in widely deployed WordPress plugins are under active mass-exploitation (SecurityWeek, 2026-06-03). CVE-2026-8206 — Kirki Freeform Page Builder 6.0.0–6.0.6 (500k installs): the custom REST endpoint handle_forgot_password() accepts an attacker-supplied email alongside a victim username and routes the genuine reset link to the attacker, giving full takeover of any account including admin; Wordfence blocked 222+ attempts within 24 h of the 2 June disclosure, fix is v6.0.7 (BleepingComputer, 2026-06-02). CVE-2026-8181 — Burst Statistics, versions 3.4.0 through 3.4.1.1 (200k installs): the plugin mis-validates WordPress application passwords in its REST API authentication path, letting an unauthenticated attacker impersonate any known admin over the REST API and create rogue admin accounts (T1136.001); ~7,400 attacks blocked in a single 24 h peak, fix is v3.4.2 (BleepingComputer, 2026-06-02 · heise Security, 2026-06-03). Hunt WordPress access logs for unauthenticated REST calls to /wp-json/kirki/* and the Burst Statistics REST endpoints, and for unexpected admin-user creation.