A critical security vulnerability in the Burst Statistics plugin — a popular self-hosted analytics tool for WordPress — allows unauthenticated attackers to bypass authentication and gain unauthorized access to sensitive site data. The flaw affects all installations running version 1.5.7.2 and earlier, putting an estimated 200,000 active WordPress sites at risk.
The vulnerability, tracked as CVE-2025-3455, carries a CVSS score of 9.8 out of 10, placing it firmly in the critical category. It was discovered by Wordfence security researcher István Márton and stems from a missing or improperly implemented authentication check on a REST API endpoint (a web-based access point that plugins use to communicate with external services and perform internal tasks). An attacker with no login credentials whatsoever could exploit this endpoint to reset plugin settings or access aggregated analytics data.

The issue was responsibly disclosed to the plugin’s developer, and a patched version was released on May 6, 2025. The fix is available in Burst Statistics version 1.5.8. Site owners and administrators running any prior version should update immediately through the WordPress dashboard. The vulnerability comparison by version breaks down as follows:
| Version | Vulnerability Status |
|---|---|
| 1.5.7.2 and earlier | Vulnerable — update required |
| 1.5.8 | Patched — safe to use |
For context, authentication bypass vulnerabilities are among the most serious class of WordPress plugin flaws. They do not require an attacker to have any existing account or privilege on the site — the attack can be carried out remotely by anyone who knows the vulnerable endpoint exists. In this case, the exposed REST API route lacked proper capability checks, which WordPress uses to verify that a user has permission to perform a given action.
Burst Statistics is developed by Burst Digital and markets itself as a GDPR-friendly, privacy-focused alternative to Google Analytics. Its appeal to privacy-conscious site owners has helped it accumulate a significant install base, which also means the attack surface for this vulnerability is substantial. Wordfence Premium users received a firewall rule protecting against exploitation on the day of disclosure; free Wordfence users received the same protection 30 days later.
Sites that have not yet updated should do so without delay. Given the public disclosure of CVE-2025-3455, active exploitation attempts are a realistic near-term concern for any unpatched installation.