A recent report from SecurityWeek warns that hundreds of thousands of websites are vulnerable to attacks due to two critical vulnerabilities in the Kirki and Burst Statistics WordPress plugins. The Kirki plugin, used for website design enhancements, has an unauthenticated privilege escalation bug (CVE-2026-8206) affecting versions 6.0.0 to 6.0.6, allowing attackers to reset passwords for admin accounts.
The Burst Statistics plugin has an authentication bypass vulnerability in versions 3.4.0 to 3.4.1.1, enabling unauthorized access to admin-level functions. Both plugins are actively exploited, with patch updates advised for users.