Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs

Threat actors are exploiting vulnerable Kirki and Burst Statistics deployments to elevate privileges and take over websites. The post Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs appeared first on SecurityWeek .

SecurityWeek reports that threat actors are actively exploiting critical vulnerabilities in the Kirki and Burst Statistics WordPress plugins to perform unauthenticated privilege escalation, reset admin passwords, and ultimately take over websites.[1] These bugs (including CVE-2026-8206 and CVE-2026-8181) allow attackers to hijack administrator accounts and abuse REST API functionality, with hundreds of thousands of sites potentially exposed if not patched.[1][2][3] From a CyberSE.AI perspective, any AI-enabled services or plugins integrated into a compromised WordPress instance (for example, AI chat widgets, content-generation agents, or API keys stored in the CMS) could be indirectly exposed, allowing attackers to exfiltrate secrets, tamper with AI workflows, or use the compromised site as an entry point into broader SaaS or AI infrastructure. Organizations should treat CMS plugin security as part of their SaaS AI risk surface, ensuring rigorous patching, access control, and an AI Security Readiness Assessment to map and harden all AI-related integrations that rely on or trust web applications like WordPress.