Analysis updated 2026-05-18
Verify in an authorized lab whether a WordPress site is running a vulnerable Burst Statistics version.
Test multiple targets from a list with threaded workers and generate a report of successful bypasses.
Study how a mis-handled authentication branch can escalate a crafted REST request to admin access.
Confirm that upgrading to Burst Statistics 3.4.2 or newer closes the bypass.
| murrez/cve-2026-8181 | a-bissell/unleash-lite | abhiinnovates/whatsapp-hr-assistant | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | Python | Python | Python |
| Setup difficulty | easy | hard | hard |
| Complexity | 3/5 | 4/5 | 3/5 |
| Audience | developer | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Only install pip requests and urllib3, intended strictly for authorized testing against systems you own or have permission to test.
CVE-2026-8181 is a proof-of-concept tool written in Python that demonstrates an authentication bypass vulnerability, tracked as CWE-287, in the Burst Statistics WordPress plugin. The flaw affects plugin versions 3.4.0 through 3.4.1.1 and was fixed in version 3.4.2. It allows a remote, unauthenticated attacker to escalate a crafted REST API request to full WordPress admin access by sending specific HTTP headers. The attack combines an X-BURSTMAINWP header with a fake Basic authorization credential, which causes the plugin's authentication check to follow a mis-handled code branch that grants admin-level access. The severity rating given is CVSS around 9.8, considered critical. The script CVE-2026-8181.py is described as lab automation for authorized security testing. It can scan a single target site with a -u flag or a list of targets from a text file with -f. Multiple worker threads can run in parallel using -j. Successful results can be written to one combined output file with -o, or saved as separate per-host files in a directory with output-dir. An optional create-user flag attempts to create a new administrator account through the REST API during a successful bypass, and the generated password is written into the report if that happens. A -k flag disables TLS certificate verification for use in lab environments. The README points out that the plugin's reported 200,000 plus active installs figure is the entire user base of the plugin, not a count of sites running the vulnerable version, so real-world impact depends on which version and environment each site is actually running. The author frames the tool as intended for authorized testing and defensive hardening only, and the README is written in parallel English and Turkish sections throughout.
A Python proof-of-concept for CVE-2026-8181, a critical authentication bypass in the Burst Statistics WordPress plugin, for authorized security testing.
Mainly Python. The stack also includes Python, WordPress, REST API.
The README does not state a license for the project.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.