## https://sploitus.com/exploit?id=5081559F-E6D2-527C-B430-4E0399FF4B5D
# CVE-2026-8181 - Burst Statistics Authentication Bypass Exploit
**Python 2.7** exploit for the Burst Statistics plugin vulnerability (CVE-2026-8181) that allows unauthenticated attackers to bypass REST API authentication, retrieve application passwords, and create new administrator users on vulnerable WordPress sites.
> โ ๏ธ **Disclaimer**
> This tool is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use only on websites you own or have explicit permission to test.
> More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/
## Vulnerability Overview
CVE-2026-8181 affects the Burst Statistics plugin for WordPress (versions prior to the patch). The flaw resides in the REST API authentication mechanism, allowing an attacker to:
- Bypass authentication by sending a crafted `X-BURSTMAINWP` header
- Retrieve application passwords via the `/burst/v1/mainwp-auth` endpoint
- Perform privileged actions (list users, read settings, create new admin accounts) through the WordPress REST API
## Features
- Multi-threaded scanning (default 10 threads)
- Automatic detection of WordPress base paths (`/`, `/wordpress`, `/wp`)
- Username enumeration via `/wp-json/wp/v2/users` or author ID redirects
- Exploitation of the auth bypass to:
- Obtain application passwords (Base64 encoded token)
- Verify access to sensitive REST endpoints (settings, plugins, admin users)
- Create a new administrator user with random credentials
- Saves successful results to `res.txt`
## Requirements
- **Python 2.7** (deprecated but required by the script)
- `requests` library
```bash
pip install requests
```
## Usage
1. Prepare a target list file (one domain or IP per line, with or without `http://`/`https://`).
Example `targets.txt`:
```
example.com
https://vulnerable-site.com
127.0.0.1/wordpress
```
2. Run the exploit:
```bash
python2 CVE-2026-8181.py targets.txt
```
3. Results are saved to `res.txt` in the current directory.
### Command Line Options
| Argument | Description |
|--------------|--------------------------------------|
| `list.txt` | Path to file containing target URLs |
### Example Output
```
============================================================
CVE-2026-8181 - Burst Statistics Auth Bypass Exploit
============================================================
[*] Total targets: 2
[*] Threads: 10
[*] Base paths: ['', '/wordpress', '/wp']
[*] Scanning: example.com
Trying path: /
Detected username: admin
[+] VULNERABLE! REST API bypass successful
[+] Application Password obtained!
[+] Username: admin
[+] App Password: xxxx xxxx xxxx
[+] Base64 Token: YWRtaW46eHh4eA==
[+] Access confirmed: WordPress settings
[+] Access confirmed: Installed plugins
[+] Access confirmed: Admin users
[+] Admin user created via REST API: wp_abc123
[+] Results saved to res.txt
```
## Output File Format (`res.txt`)
For each vulnerable target, the script appends:
```
============================================================
Target: http://example.com
============================================================
[+] Access Verification:
[+] WordPress settings
[+] Installed plugins
[+] Admin users
[+] REST API Credentials:
Username: wp_abc123
Password: random12char
Note: Use with X-BURSTMAINWP header
[+] Application Password:
Username: admin
App Password: xxxx xxxx xxxx
Base64 Token: YWRtaW46eHh4eA==
```
## How It Works
1. **Target preparation** โ Adds `http://` prefix if missing, strips trailing slashes.
2. **Path iteration** โ Tries `/`, `/wordpress`, and `/wp` as WordPress base directories.
3. **Username enumeration** โ Fetches `/wp-json/wp/v2/users` or uses `?author=N` redirects.
4. **Bypass test** โ Sends `X-BURSTMAINWP: 1` + Basic auth with username and dummy password (`CVE-2026-8181`). If endpoint `/wp-json/wp/v2/users/me?context=edit` returns 200, the site is vulnerable.
5. **Exploitation** โ
- Requests `/wp-json/burst/v1/mainwp-auth` to retrieve an application password token.
- Verifies access to `/settings`, `/plugins`, `/users`.
- Creates a new administrator account via `POST /wp-json/wp/v2/users`.
6. **Result saving** โ Writes all obtained credentials to `res.txt`.
## Customisation
You can modify these variables inside the script:
- `THREADS` โ Number of concurrent threads (default 10)
- `BASE_PATHS` โ Additional WordPress subdirectories to check
- `requests` timeout values
## Notes
- The script uses Python 2.7 โ ensure it is installed or consider porting to Python 3.
- SSL certificate verification is disabled (`verify=False`) for simplicity.
- The exploit depends on the Burst Statistics plugin being active and unpatched.
## License
This project is provided for educational purposes only. Use at your own risk.
## References
- [CVE-2026-8181 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-8181) (hypothetical)
- Burst Statistics plugin (affected versions)