Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs

WordPress powers roughly 40% of the web, and its extensible plugin ecosystem is both a strength and a security liability. Over the past year, researchers have documented a surge in privilege‑escalation bugs that let attackers bypass authentication entirely. The Kirki and Burst Statistics flaws exemplify this trend, targeting core functions—password reset flows and REST API handling—that are often assumed safe. Their high CVSS scores reflect the ease of exploitation and the severe impact of a full site takeover, underscoring the need for continuous code review and hardening of plugin entry points.

Technically, the Kirki issue manipulates the password‑reset endpoint by accepting any email address, allowing an attacker to generate a valid reset token for a high‑privilege user. Meanwhile, Burst Statistics mishandles the return value of its application‑password validator, causing the REST API to treat crafted requests as authenticated. Both vulnerabilities are unauthenticated, meaning no prior access is required—a characteristic that makes them especially attractive to automated botnets. The rapid detection and blocking of thousands of attempts by Defiant illustrate how threat‑intelligence services can mitigate damage, but only after the initial exposure period.

For site operators, the takeaway is clear: maintain an aggressive patch cadence and monitor plugin advisories. Updating to Kirki 6.0.7 and Burst Statistics 3.4.2 eliminates the known vectors, but legacy installations remain at risk. Employing web‑application firewalls, restricting REST API access, and enforcing strong admin credentials further reduce the attack surface. As WordPress continues to dominate the CMS market, the industry must prioritize secure development pipelines and faster vulnerability disclosure to protect the vast digital infrastructure built on these plugins.