[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu5MaN5BHvkWLvejSLdj5X0ZkrW6tSUaQwSevam3Bqhs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":9,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":38},"CVE-2026-8181","burst-statistics-authentication-bypass-to-admin-account-takeover","Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover","The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.","burst-statistics",null,">=3.4.0 \u003C=3.4.1.1","3.4.2","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Authentication","2026-05-13 16:44:16","2026-05-14 05:30:30",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F8ca830d6-3d3c-4026-85cd-8447b8a568d3?source=api-prod",1,[22,23,24,25,26,27],"burst.php","includes\u002FAdmin\u002FAbilities_Api\u002Fclass-abilities-api.php","includes\u002FAdmin\u002FApp\u002FMenu\u002Fclass-menu.php","includes\u002FAdmin\u002FApp\u002Fbuild\u002F156.1bbcca5c233dd53cba1a.js","includes\u002FAdmin\u002FApp\u002Fbuild\u002F212.15634d10b3abd1282f93.js","includes\u002FAdmin\u002FApp\u002Fbuild\u002F219.200a1ab6d3494a799bb0.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-8181\n\n## 1. Vulnerability Summary\nThe **Burst Statistics** plugin (versions 3.4.0 to 3.4.1.1) contains an authentication bypass vulnerability in its MainWP integration logic. The function `is_mainwp_authenticated()` (likely hooked into the `determine_current_user` filter or a similar authentication flow) fails to correctly validate application passwords provided in the `Authorization` header. \n\nSpecifically, when a `Basic` authentication header is provided, the function attempts to validate it but handles the return value incorrectly. This allows an unauthenticated attacker who knows a valid administrator's username to bypass authentication by providing a random password. Because this bypass occurs at the authentication layer, the attacker is treated as the specified administrator for the duration of the HTTP request, enabling full administrative access to the WordPress REST API and other protected endpoints.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any WordPress REST API endpoint, specifically `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers` for account takeover.\n*   **Vulnerable Function:** `is_mainwp_authenticated()` (located in an internal class, potentially `Burst\\Admin\\MainWP\\MainWP_Helper` or similar - *inferred based on namespace usage in provided files*).\n*   **Authentication Header:** `Authorization: Basic \u003Cbase64(admin_user:random_password)>`.\n*   **Authentication Level:** Unauthenticated.\n*   **Preconditions:** Knowledge of a valid administrator username (usually `admin` or discoverable via `\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`).\n\n## 3. Code Flow\n1.  **Request Initiation:** An attacker sends a REST API request to the WordPress site.\n2.  **Authentication Filter:** During the `plugins_loaded` or `init` phase, WordPress fires the `determine_current_user` filters to identify the requester.\n3.  **Vulnerable Hook:** Burst Statistics registers a filter that calls `is_mainwp_authenticated()`.\n4.  **Header Processing:** The function detects an `Authorization` header. It extracts the username and password.\n5.  **Logic Failure:** \n    *   The code likely checks if the username exists and has specific capabilities (MainWP related).\n    *   It then attempts to validate the \"application password\".\n    *   Due to \"incorrect return-value handling,\" the function returns the `WP_User` object or User ID even if the password validation fails or is logically bypassed, effectively telling WordPress: \"This user is authenticated.\"\n6.  **Privilege Escalation:** WordPress sets the global `$current_user` to the administrator, and the REST API controller allows the request to proceed with full permissions.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability targets the **REST API** using **Basic Authentication**. \n*   **WordPress REST API Authentication:** When using the `Authorization` header (Application Passwords\u002FBasic Auth), WordPress **does not require** a CSRF nonce (`X-WP-Nonce`). Nonces are only required for cookie-based authentication.\n*   **Bypass Confirmation:** Since the exploit relies on bypassing the authentication mechanism itself via the header, no nonce is needed for the `POST` requests.\n\n## 5. Exploitation Strategy\nThe goal is to create a new administrator account to achieve permanent site access.\n\n### Step 1: Enumerate Administrator Username\nIf the username is unknown, use the standard WordPress enumeration endpoint.\n*   **Request:** `GET \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`\n*   **Tool:** `http_request`\n*   **Expected Result:** A JSON list of users. Identify the user with the highest ID or known administrative slug (e.g., `admin`).\n\n### Step 2: Perform Account Takeover (Create New Admin)\nUse the bypass to call the user creation endpoint.\n*   **Method:** `POST`\n*   **URL:** `\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`\n*   **Headers:**\n    *   `Content-Type: application\u002Fjson`\n    *   `Authorization: Basic YWRtaW46YnlwYXNzMTIz` (Base64 for `admin:bypass123` - assuming `admin` is the target username)\n*   **Payload (JSON):**\n    ```json\n    {\n      \"username\": \"exploit_admin\",\n      \"name\": \"Exploit Admin\",\n      \"email\": \"exploit@example.com\",\n      \"password\": \"ComplexPassword123!\",\n      \"roles\": [\"administrator\"]\n    }\n    ```\n*   **Tool:** `http_request`\n\n## 6. Test Data Setup\n1.  **Environment:** WordPress with Burst Statistics v3.4.1.1 installed and activated.\n2.  **User:** An administrator account with the username `admin` must exist.\n3.  **Plugin Config:** No specific configuration is required, as the MainWP authentication bridge is typically initialized by default if the `MainWP_Child` class isn't detected to be conflicting.\n\n## 7. Expected Results\n*   **Response Code:** `201 Created`\n*   **Response Body:** A JSON object representing the newly created `exploit_admin` user, including `\"roles\": [\"administrator\"]`.\n*   **Failure Scenario:** If the bypass fails, the response will be `401 Unauthorized` or `403 Forbidden` (Restricted to authenticated users).\n\n## 8. Verification Steps\nAfter the HTTP request, use WP-CLI to verify the state of the database:\n1.  **Check User Existence:** `wp user get exploit_admin`\n2.  **Verify Roles:** `wp user get exploit_admin --field=roles` (should return `administrator`)\n3.  **Check Login:** Verify that the new user can successfully authenticate.\n\n## 9. Alternative Approaches\nIf the `wp\u002Fv2\u002Fusers` endpoint is restricted by other security plugins, try these alternatives using the same `Authorization` bypass header:\n1.  **Modify Options:** `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fsettings` to change `users_can_register` to `1` and `default_role` to `administrator`.\n2.  **Plugin Installation:** Use the `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fplugins` endpoint (if available\u002Fsupported by the specific WP version) to upload a web shell.\n3.  **Update Admin Password:** `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002F\u003Cadmin_id>` with a new `password` field to hijack the existing account directly.","The Burst Statistics plugin (versions 3.4.0 to 3.4.1.1) contains an authentication bypass vulnerability within its MainWP integration logic. Due to incorrect return-value handling in the `is_mainwp_authenticated()` function, an unauthenticated attacker knowing an administrator username can impersonate that user by providing an arbitrary password in a Basic Authentication header.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.1.1\u002Fburst.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.2\u002Fburst.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.1.1\u002Fburst.php\t2026-05-06 09:16:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.2\u002Fburst.php\t2026-05-12 05:34:20.000000000 +0000\n@@ -3,7 +3,7 @@\n  * Plugin Name: Burst Statistics - Privacy-Friendly Analytics for WordPress\n  * Plugin URI: https:\u002F\u002Fwww.wordpress.org\u002Fplugins\u002Fburst-statistics\n  * Description: Get detailed insights into visitors’ behavior with Burst Statistics, the privacy-friendly analytics dashboard.\n- * Version: 3.4.1.1\n+ * Version: 3.4.2\n  * Requires at least: 6.6\n  * Requires PHP: 8.0\n  * Text Domain: burst-statistics\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.1.1\u002Fincludes\u002FAdmin\u002FAbilities_Api\u002Fclass-abilities-api.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.2\u002Fincludes\u002FAdmin\u002FAbilities_Api\u002Fclass-abilities-api.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.1.1\u002Fincludes\u002FAdmin\u002FAbilities_Api\u002Fclass-abilities-api.php\t2026-04-29 13:41:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fburst-statistics\u002F3.4.2\u002Fincludes\u002FAdmin\u002FAbilities_Api\u002Fclass-abilities-api.php\t2026-05-12 05:34:20.000000000 +0000\n@@ -15,14 +15,43 @@\n class Abilities_Api {\n \tuse Admin_Helper;\n \n-\tprivate const ENABLE_OPTION = 'enable_abilities_api';\n-\tprivate const CATEGORY_SLUG = 'burst-statistics';\n+\tprivate const ENABLE_OPTION     = 'enable_abilities_api';\n+\tprivate const CATEGORY_SLUG     = 'burst-statistics';\n+\tprivate const CHAT_ABILITY_LIST = [\n+\t\t'burst\u002Flive-visitors',\n+\t\t'burst\u002Flive-traffic',\n+\t\t'burst\u002Ftoday-summary',\n+\t\t'burst\u002Ftasks',\n+\t\t'burst\u002Ftracking-status',\n+\t\t'burst\u002Flicense-notices',\n+\t\t'burst\u002Fdata',\n+\t\t'burst\u002Fsubscriptions-data',\n+\t];\n+\n+\t\u002F**\n+\t * Check whether the Abilities API setting is enabled.\n+\t *\u002F\n+\tpublic static function is_enabled(): bool {\n+\t\treturn (bool) burst_get_option( self::ENABLE_OPTION, false );\n+\t}\n+\n+\t\u002F**\n+\t * Show the chat enable notice only when the feature can actually be enabled.\n+\t *\u002F\n+\tpublic static function should_show_enable_notice(): bool {\n+\t\treturn function_exists( 'wp_register_ability' ) && ! self::is_enabled();\n+\t}\n \n \t\u002F**\n \t * Initialize Abilities API integration.\n \t *\u002F\n \tpublic function init(): void {\n-\t\tif ( function_exists( 'wp_register_ability' ) && (bool) burst_get_option( self::ENABLE_OPTION, false ) ) {\n+\t\tif ( self::is_enabled() ) {\n+\t\t\tadd_action( 'rest_api_init', [ $this, 'register_chat_rest_routes' ], 9 );\n+\t\t\tadd_filter( 'burst_do_action', [ $this, 'handle_ajax_chat_actions' ], 10, 3 );\n+\t\t}\n+\n+\t\tif ( function_exists( 'wp_register_ability' ) && self::is_enabled() ) {\n \t\t\tadd_action( 'wp_abilities_api_categories_init', [ self::class, 'register_category' ] );\n \t\t\tadd_action( 'wp_abilities_api_init', [ self::class, 'register' ] );\n \t\t\tadd_action( 'abilities_api_init', [ self::class, 'register' ] );\n@@ -529,7 +590,7 @@\n \tpublic function permission_callback( mixed $input = null ): bool|\\WP_Error {\n \t\tunset( $input );\n \n-\t\tif ( $this->user_can_view() ) {\n+\t\tif ( $this->user_can_manage() ) {\n \t\t\treturn true;\n \t\t}\n ... (truncated)","1. Administrator Enumeration: Identify a valid administrator username, typically via the `\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers` endpoint or common defaults like 'admin'.\n2. Authentication Bypass: Construct a request to a privileged REST API endpoint (such as `POST \u002Fwp-json\u002Fwp\u002Fv2\u002Fusers`).\n3. Header Injection: Include an `Authorization` header using Basic authentication: `Authorization: Basic \u003Cbase64(admin_user:random_password)>`.\n4. Execution: Because the plugin fails to correctly validate the provided password against the administrator account within the `is_mainwp_authenticated` flow, WordPress treats the request as being authenticated by the specified administrator for the duration of the execution.\n5. Privilege Escalation: The attacker can use this bypassed state to create a new administrator account or modify site settings, achieving full site takeover.","gemini-3-flash-preview","2026-05-14 17:23:59","2026-05-14 17:25:18",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","3.4.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fburst-statistics\u002Ftags\u002F3.4.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fburst-statistics.3.4.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fburst-statistics\u002Ftags\u002F3.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fburst-statistics.3.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fburst-statistics\u002Ftags"]