Authentication Bypass in Burst Statistics WordPress Plugin

Repository contains a README and a single Python exploit script, shadow.py, which is the main entry point. The project targets CVE-2026-8181 in the WordPress Burst Statistics plugin (versions 3.4.0 through 3.4.1.1). The README describes an authentication bypass caused by incorrect handling of wp_authenticate_application_password() return values in the plugin’s MainWP authentication flow, allowing attacker-controlled impersonation of an administrator early in request processing. The Python script is an operational exploitation tool rather than a simple detector. It supports single-target mode, file-based mass scanning, and an interactive mode. It uses argparse for CLI handling, requests/urllib3 for HTTP(S) communication, ThreadPoolExecutor for concurrent scanning, and local output helpers to record successful compromises. The script includes randomized usernames/passwords/domains and rotating User-Agent strings, indicating an attempt to automate exploitation at scale. Based on the README and visible code structure, the exploit workflow is: detect WordPress, identify Burst Statistics version, probe the /burst/v1/mainwp-auth route, enumerate likely usernames (or accept a supplied username), attempt the bypass using Basic Authorization plus X-BURSTMAINWP, then leverage elevated WordPress REST API access to enumerate users and create a new administrator account. It also advertises fallback behavior such as admin password reset and takeover verification via wp-login.php. Output is written to user.txt, token.txt, and new-user-and-header.txt. Overall purpose: automated unauthenticated admin takeover of vulnerable WordPress sites running the affected Burst Statistics plugin, with both reconnaissance and post-bypass account-compromise capabilities.

This repository is a self-contained Docker lab and proof-of-concept for CVE-2026-8181, an authentication bypass in the WordPress plugin Burst Statistics – Privacy-Friendly WordPress Analytics. The repo contains 7 files: a README, docker-compose.yml, two Dockerfiles (vuln/ and patched/), a Python PoC (poc/poc.py), and a Bash seeding script (scripts/seed-wordpress.sh). The Docker environment builds two WordPress 6.8.1 instances backed by separate MySQL containers: one with Burst Statistics 3.4.1.1 (vulnerable) and one with 3.4.2 (patched). A one-shot seed container installs WordPress, creates an administrator account named labadmin, and activates the plugin in both environments. The main exploit logic is in poc/poc.py. It is a least-harm, read-only web exploit PoC that targets the WordPress REST API endpoint /?rest_route=/wp/v2/users/me&context=edit. The script first performs a baseline unauthenticated request, then retries with the header X-BurstMainWP: 1 and a forged Basic Authorization header containing a known administrator username and an intentionally incorrect password. On vulnerable targets, the plugin's MainWP proxy authentication path incorrectly treats a non-error result from wp_authenticate_application_password() as sufficient, then calls wp_set_current_user() for the supplied username. This causes the REST request to execute in the context of that user, allowing the PoC to retrieve the admin user's profile and roles. On patched targets, the same request is rejected because the plugin now requires an actual WP_User object. Exploit capability is limited to proving request-scoped impersonation of a known administrator account; it does not create users, upload files, execute commands, or persist changes. The PoC includes a localhost-only safety guard via SAFE_HOSTS = {127.0.0.1, localhost, ::1}, requiring --allow-non-local to target anything else. Overall, this is a legitimate proof-of-concept exploit repository rather than a framework module or mere detector: it demonstrates the vulnerable behavior directly, but in a constrained and non-destructive way.

Repository contains a standalone Python proof-of-concept exploit and a companion Nuclei detection template for CVE-2026-8181 affecting the Burst Statistics WordPress plugin. The main exploit file, CVE-2026-8181.py, uses httpx to send a crafted POST request to WordPress REST API user-creation endpoints. It sets the X-BurstMainWP header and a forged Basic Authorization header containing a known administrator username plus a fake password, exploiting the plugin's flawed MainWP authentication logic to impersonate that administrator for the duration of the request. The JSON payload creates a new persistent administrator account with attacker-supplied or randomly generated credentials. The script supports proxying, custom headers, timeout control, verbosity, and log output, making it a usable operational exploit rather than a simple detection check. The Nuclei template, CVE-2026-8181.yaml, is only for detection/fingerprinting: it checks for plugin presence via homepage asset references and confirms vulnerable versions by reading /wp-content/plugins/burst-statistics/readme.txt and comparing the extracted version to 3.4.0-3.4.1.1. Repository structure is minimal: one Python exploit, one YAML detector, README documentation with root-cause analysis and usage guidance, requirements.txt for dependencies, plus license and gitignore. Overall purpose is to demonstrate and operationalize unauthenticated web exploitation of vulnerable WordPress sites to achieve administrator account takeover via creation of a new admin user.

Repository contains two Python 2.7 scripts and a README. The main exploit, CVE-2026-8181.py, is a multithreaded WordPress web exploit targeting the Burst Statistics plugin authentication bypass identified as CVE-2026-8181. It accepts a target list, normalizes targets by adding a protocol, and tests common WordPress install paths ('/', '/wordpress', '/wp'). It first enumerates a username using either the public REST users endpoint or author-ID redirects. It then attempts the bypass by sending 'X-BURSTMAINWP: 1' plus a crafted Basic Authorization header to '/wp-json/wp/v2/users/me?context=edit'. On success, it calls '/wp-json/burst/v1/mainwp-auth' to obtain an application-password token, checks access to sensitive REST endpoints such as settings, plugins, and administrator-user listings, and finally creates a new administrator account through POST '/wp-json/wp/v2/users'. Successful results, including created credentials and any recovered application password, are appended to 'res.txt'. The secondary script, scanner.py, is a detection utility rather than the main exploit. It checks '/wp-content/plugins/burst-statistics/readme.txt' across the same common base paths, extracts the plugin version, and flags versions 3.4.0, 3.4.1, and 3.4.1.1 as vulnerable, saving matching domains to 'vuln.txt'. Overall, this is a real exploit repository, not just a README or detector. Its primary capability is unauthorized administrative compromise of vulnerable WordPress sites via REST API auth bypass, with follow-on actions including credential/token recovery and persistent admin account creation.

Repository contains a single Python exploit script and a README. The main file, CVE-2026-8181.py, is an operational proof-of-concept for exploiting an authentication bypass in the Burst Statistics WordPress plugin (versions 3.4.0 through 3.4.1.1). According to the embedded documentation, the bug is in the plugin's MainWP authentication logic: a null return from wp_authenticate_application_password() is mishandled, allowing authentication to succeed based only on a supplied username. Because the plugin sets the current user during plugins_loaded, the exploit gains admin privileges for the entire HTTP request before REST route handling. The script is designed for both single-target and multi-target operation. It accepts a single URL (-u) or a file of targets (-f), supports concurrent execution with a thread pool (-j), optional insecure TLS mode (-k), configurable timeout, and text output either as one combined file or per-host files. The default targeted username is 'admin', but it can be changed with -U. The reporting helper formats output including username, password, email, user ID, and a derived /wp-admin/ login address. Core exploit capability is unauthenticated admin-context access via crafted HTTP headers, specifically X-BURSTMAINWP: 1 plus a Basic Authorization header containing a chosen username and arbitrary password. The README and script comments state that once the bypass succeeds, the attacker can access WordPress REST endpoints with full admin context. An optional --create-user mode escalates this into persistent compromise by creating a new administrator account with randomized credentials, which are then written to the report. This makes the repository more than a detector: it is an exploit with post-exploitation account creation capability. No external exploit framework is used; this is a standalone Python script relying primarily on requests/urllib3. The README is extensive and bilingual, documenting the vulnerability, attack chain, usage examples, and operational notes. Overall, the repository's purpose is to automate exploitation of CVE-2026-8181 against vulnerable WordPress sites and optionally establish persistence through creation of a new admin user.

Repository contains a single Python proof-of-concept exploit script and a README. The main file, CVE-2026-8181.py, targets CVE-2026-8181 in the Burst Statistics WordPress plugin (versions 3.4.0 through 3.4.1.1). The exploit is not framework-based and is a standalone operational PoC. The exploit’s core capability is unauthenticated administrator impersonation via a crafted REST request. It builds requests to WordPress REST API endpoints using either /wp-json<route> or the fallback /?rest_route=<route>. To trigger the vulnerable code path, it sends the X-BURSTMAINWP: 1 header plus a forged Basic Authorization header containing a known or guessed admin username and an arbitrary password string. According to the embedded documentation, the plugin incorrectly treats a null return from wp_authenticate_application_password() as non-error on HTTP sites, then resolves the user by username and sets the current user context, granting admin privileges for the request before REST route handling. The script structure includes helper methods for URL construction, REST requests, bypass-header generation, WordPress detection, and exploitation flow. Although the provided content is truncated, the visible logic and README indicate the script can: verify WordPress presence, attempt the auth bypass, retrieve an application password, and optionally create a new administrator account. This makes it more than a detector; it performs post-bypass administrative actions. Fingerprintable targets and artifacts include the WordPress REST API paths (/wp-json and /?rest_route=), the required exploit header X-BURSTMAINWP: 1, and the forged Basic Auth pattern. The README also documents relevant WordPress artifacts for detection and remediation, including wp_users, wp_options, wp_application_passwords, and burst_mainwp_app_token_*. Overall, this repository is a focused exploit PoC for remote web exploitation of vulnerable WordPress sites running the Burst Statistics plugin under conditions where application passwords are unavailable, especially HTTP deployments. Its purpose is account takeover and administrative control, not merely vulnerability detection.