Ctrl + K
/ news / CVE
CVEPublished 2026-05-14Modified 2026-05-142 articles on news5 live referencesNVD data

CVE-2026-8181

Vulnerability data via NVD (ingested)

CVSS v3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
Weaknesses (CWE)
CWE-287Improper Authentication
Description

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

Timeline
Published 2026-05-14
Modified 2026-05-14

External references

NVDMITREExploit-DBSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-8181
Hosts Shodan has explicitly fingerprinted as vulnerable.
More intel sources (5)
Shodan report
vuln:CVE-2026-8181
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-8181
Censys host search filtered to this CVE id.
grep.app
CVE-2026-8181
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-8181
GitHub code search for direct mentions.
Google dork
"CVE-2026-8181" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-81818 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,843·updated 5d ago
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 51·updated 2w ago
zulloper/cve-pocPython
CVE POC repo 자동 수집기
★ 13·updated 5d ago
tomjwxf/scopeblind-gatewayTypeScript
Active development continues at ScopeBlind/scopeblind-gateway. - Security gateway for MCP servers. Cedar policy engine, Ed25519-signed receipts, per-tool enforcement. IETF Internet…
★ 8·updated 2mo ago
zycoder0day/CVE-2026-8181Python
CVE-2026-8181 - Burst Statistics 3.4.0-3.4.1.1 Unauthenticated Authentication Bypass to Admin Account Takeover | Proof of Concept
★ 5·updated 1mo ago
HACKFORLAB/HACKFORLAB_NBAD_PCAP_AnalyzerPython
★ 5·updated 4mo ago
steinarb/authserviceJava
An OSGi web whiteboard webapp that serves as authenticator and login page for the nginx_auth_request_module
★ 4·updated 5d ago
megaphone-tokyo/kiokuJavaScript
Memory for Claude Code — auto-accumulate sessions into an Obsidian Wiki
★ 4·updated 1w ago
Articles on news mentioning CVE-2026-8181