explaingit

murrez/cve-2026-8181

Analysis updated 2026-05-18

1PythonAudience · developerComplexity · 3/5Setup · easy

TLDR

A Python proof-of-concept for CVE-2026-8181, a critical authentication bypass in the Burst Statistics WordPress plugin, for authorized security testing.

Mindmap

mindmap
  root((CVE-2026-8181))
    What it does
      Auth bypass PoC
      Burst Statistics plugin
      Lab automation
    Tech stack
      Python
      WordPress
      REST API
    Use cases
      Authorized vulnerability testing
      Multi target scanning
      Report generation
    Details
      CWE-287
      CVSS 9.8
      Fixed in 3.4.2

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify in an authorized lab whether a WordPress site is running a vulnerable Burst Statistics version.

USE CASE 2

Test multiple targets from a list with threaded workers and generate a report of successful bypasses.

USE CASE 3

Study how a mis-handled authentication branch can escalate a crafted REST request to admin access.

USE CASE 4

Confirm that upgrading to Burst Statistics 3.4.2 or newer closes the bypass.

What is it built with?

PythonWordPressREST API

How does it compare?

murrez/cve-2026-8181a-bissell/unleash-liteabhiinnovates/whatsapp-hr-assistant
Stars111
LanguagePythonPythonPython
Setup difficultyeasyhardhard
Complexity3/54/53/5
Audiencedeveloperresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Only install pip requests and urllib3, intended strictly for authorized testing against systems you own or have permission to test.

The README does not state a license for the project.

In plain English

CVE-2026-8181 is a proof-of-concept tool written in Python that demonstrates an authentication bypass vulnerability, tracked as CWE-287, in the Burst Statistics WordPress plugin. The flaw affects plugin versions 3.4.0 through 3.4.1.1 and was fixed in version 3.4.2. It allows a remote, unauthenticated attacker to escalate a crafted REST API request to full WordPress admin access by sending specific HTTP headers. The attack combines an X-BURSTMAINWP header with a fake Basic authorization credential, which causes the plugin's authentication check to follow a mis-handled code branch that grants admin-level access. The severity rating given is CVSS around 9.8, considered critical. The script CVE-2026-8181.py is described as lab automation for authorized security testing. It can scan a single target site with a -u flag or a list of targets from a text file with -f. Multiple worker threads can run in parallel using -j. Successful results can be written to one combined output file with -o, or saved as separate per-host files in a directory with output-dir. An optional create-user flag attempts to create a new administrator account through the REST API during a successful bypass, and the generated password is written into the report if that happens. A -k flag disables TLS certificate verification for use in lab environments. The README points out that the plugin's reported 200,000 plus active installs figure is the entire user base of the plugin, not a count of sites running the vulnerable version, so real-world impact depends on which version and environment each site is actually running. The author frames the tool as intended for authorized testing and defensive hardening only, and the README is written in parallel English and Turkish sections throughout.

Copy-paste prompts

Prompt 1
Explain how the X-BURSTMAINWP header and a fake Basic credential combine to trigger the CVE-2026-8181 authentication bypass.
Prompt 2
Walk me through running CVE-2026-8181.py against a single authorized lab target with the -u and -o flags.
Prompt 3
Help me understand the difference between the -o combined output file and the --output-dir per-host mode in this tool.
Prompt 4
What does the --create-user flag do in CVE-2026-8181.py, and why does it only work on a successful bypass?

Frequently asked questions

What is cve-2026-8181?

A Python proof-of-concept for CVE-2026-8181, a critical authentication bypass in the Burst Statistics WordPress plugin, for authorized security testing.

What language is cve-2026-8181 written in?

Mainly Python. The stack also includes Python, WordPress, REST API.

What license does cve-2026-8181 use?

The README does not state a license for the project.

How hard is cve-2026-8181 to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is cve-2026-8181 for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.