CVE-2026-8181

CRITICAL EXPLOITED NUCLEI LAB

Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-8181 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 11 public exploits from researchers including Ez4rd1x1, BastianXploited, Yucaerin. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in the Burst Statistics WordPress plugin (versions 3.4.0 to 3.4.1.1). The PoC automates version detection, user enumeration, and privilege escalation by exploiting a logic flaw in the `is_mainwp_authenticated()` function.

Description

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Exploits (11)

nomisec WORKING POC
by Ez4rd1x1 · remote
https://github.com/Ez4rd1x1/CVE-2026-8181

The repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in the Burst Statistics WordPress plugin (versions 3.4.0 to 3.4.1.1). The PoC automates version detection, user enumeration, and privilege escalation by exploiting a logic flaw in the `is_mainwp_authenticated()` function.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics – Privacy-Friendly WordPress Analytics (Plugin versions 3.4.0 to 3.4.1.1)
No auth needed
Prerequisites: WordPress site with vulnerable Burst Statistics plugin · REST API access to `/wp-json/wp/v2/users`
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC
by BastianXploited · poc
https://github.com/BastianXploited/CVE-2026-8181

This repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in the Burst Statistics WordPress plugin (versions 3.4.0-3.4.1.1). The exploit leverages a flaw in the `is_mainwp_authenticated()` function, allowing unauthenticated attackers to gain admin privileges via crafted HTTP headers.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress Plugin 3.4.0-3.4.1.1
No auth needed
Prerequisites: Target must have Burst Statistics plugin installed and vulnerable version · Target admin must not have Application Passwords configured
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC
by Yucaerin · pythonpoc
https://github.com/Yucaerin/CVE-2026-8181

The repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in Burst Statistics (3.4.0-3.4.1.1) that allows unauthenticated attackers to mint WordPress Application Passwords for admin accounts via a flawed `is_mainwp_authenticated()` check.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics (WordPress plugin) versions 3.4.0 to 3.4.1.1
No auth needed
Prerequisites: knowledge of an admin username · plugin installed and active
devstral-2 · analyzed May 22, 2026 Full analysis →
github WORKING POC
by x48ps · pythonpoc
https://github.com/x48ps/CVE-2026-8181

This repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in the Burst Statistics WordPress plugin. The exploit allows unauthenticated attackers to impersonate an administrator by using a crafted Basic Authentication header, enabling the creation of a new administrator account.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress plugin (versions 3.4.0, 3.4.1, 3.4.1.1)
No auth needed
Prerequisites: valid administrator username · WordPress site with vulnerable Burst Statistics plugin
devstral-2 · analyzed May 22, 2026 Full analysis →
github WORKING POC
by BastianXploited · pythonremote
https://github.com/BastianXploited/CVE-2026-8181-mass

This repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in Burst Statistics WordPress plugin versions 3.4.0-3.4.1.1. The exploit leverages a flaw in the `is_mainwp_authenticated()` function to bypass authentication and gain admin privileges via crafted HTTP headers.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress Plugin 3.4.0-3.4.1.1
No auth needed
Prerequisites: Target must have Burst Statistics plugin installed and vulnerable version · Target admin must not have Application Passwords configured
devstral-2 · analyzed May 22, 2026 Full analysis →
github WORKING POC
by xShadow-Here · pythonpoc
https://github.com/xShadow-Here/CVE-2026-8181

This repository contains a functional exploit for CVE-2026-8181, an authentication bypass vulnerability in Burst Statistics WordPress plugin versions 3.4.0 to 3.4.1.1. The exploit leverages incorrect return-value handling in the `is_mainwp_authenticated()` function to impersonate admin users and achieve full account takeover.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress plugin (3.4.0 - 3.4.1.1)
No auth needed
Prerequisites: knowledge of an administrator username · target running vulnerable plugin version
devstral-2 · analyzed May 18, 2026 Full analysis →
github WORKING POC
by rootdirective-sec · pythonremote
https://github.com/rootdirective-sec/CVE-2026-8181-Lab

This repository contains a functional exploit PoC for CVE-2026-8181, an authentication bypass vulnerability in the Burst Statistics WordPress plugin. The PoC demonstrates the vulnerability by sending a crafted request with a fake Basic Authentication password and the 'X-BurstMainWP: 1' header, which bypasses authentication in vulnerable versions.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Burst Statistics – Privacy-Friendly WordPress Analytics (versions 3.4.0 to 3.4.1.1)
No auth needed
Prerequisites: knowledge of a valid administrator username
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by whattheslime · poc
https://github.com/whattheslime/CVE-2026-8181

This repository contains a functional Python exploit for CVE-2026-8181, which leverages an authentication bypass in Burst Statistics (WordPress plugin) to create a new administrator account. The exploit forges Basic authentication headers and sends a crafted POST request to the WordPress REST API.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress plugin (versions 3.4.0 to 3.4.1.1)
No auth needed
Prerequisites: known administrator username · WordPress site with vulnerable Burst Statistics plugin
devstral-2 · analyzed May 16, 2026 Full analysis →
nomisec WORKING POC
by Jenderal92 · remote
https://github.com/Jenderal92/CVE-2026-8181

This repository contains a functional exploit for CVE-2026-8181, targeting a WordPress REST API authentication bypass vulnerability. The exploit automates username enumeration, bypass testing, application password extraction, and admin user creation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific version not specified)
No auth needed
Prerequisites: WordPress installation with vulnerable REST API endpoint · Network access to target
devstral-2 · analyzed May 16, 2026 Full analysis →
nomisec WORKING POC
by murrez · remote
https://github.com/murrez/CVE-2026-8181

This repository contains a functional Python exploit for CVE-2026-8181, an authentication bypass vulnerability in Burst Statistics WordPress Plugin versions 3.4.0-3.4.1.1. The exploit leverages a flaw in the `is_mainwp_authenticated()` method to bypass authentication and gain admin privileges.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress Plugin 3.4.0-3.4.1.1
No auth needed
Prerequisites: WordPress site with Burst Statistics plugin 3.4.0-3.4.1.1 · HTTP site (not HTTPS)
devstral-2 · analyzed May 15, 2026 Full analysis →
nomisec WORKING POC
by zycoder0day · remote
https://github.com/zycoder0day/CVE-2026-8181

This repository contains a functional Python exploit for CVE-2026-8181, an authentication bypass vulnerability in Burst Statistics WordPress plugin versions 3.4.0-3.4.1.1. The exploit leverages a flaw in the `is_mainwp_authenticated()` method to gain admin privileges without valid credentials.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Burst Statistics WordPress Plugin 3.4.0-3.4.1.1
No auth needed
Prerequisites: WordPress site with vulnerable Burst Statistics plugin · HTTP (non-HTTPS) site configuration
devstral-2 · analyzed May 14, 2026 Full analysis →

Nuclei Templates (1)

WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
CRITICALVERIFIEDby 0x_Akoko

References (10)

Core 10
Core References

Scores

CVSS v3 9.8
EPSS 0.0451
EPSS Percentile 89.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:cli-php8.2
docker pull wordpress:6.8.1-php8.2-apache
+9 more repos

Details

VulnCheck KEV 2026-05-14
CWE
CWE-287
Status published
Products (1)
burstbv/Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) 3.4.0 - 3.4.1.1
Published May 14, 2026
Tracked Since May 14, 2026