Skip to main content

Wp Cost Estimation Payment Forms Builder CVE-2026-24363

| EUVDEUVD-2026-15559 HIGH
Missing Authorization (CWE-862)
2026-03-25 Patchstack
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.3.0
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15559
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.

AnalysisAI

A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.

Technical ContextAI

The WP Cost Estimation & Payment Forms Builder plugin (identified via CPE cpe:2.3:a:loopus:wp_cost_estimation_&_payment_forms_builder:*:*:*:*:*:*:*:*) is a WordPress plugin designed to facilitate cost estimation and payment form functionality. The vulnerability stems from improper implementation of WordPress capability and role-based access control mechanisms, specifically a CWE-862 (Missing Authorization) flaw where the plugin fails to enforce proper authorization checks before allowing users to access or modify sensitive form operations. This is a common pattern in WordPress plugins where developers create administrative or user-facing functionality without verifying that the requesting user has the appropriate WordPress role or capability, allowing any authenticated user (or in some cases, unauthenticated users) to bypass intended access restrictions.

RemediationAI

WordPress administrators must immediately upgrade the WP Cost Estimation & Payment Forms Builder plugin to version 10.3.0 or later, which contains the authorization control fixes. Update via the WordPress plugin management interface (Plugins > Installed Plugins > Update Now) or through direct vendor channels. Until patches can be applied in environments with change management delays, implement mitigation measures including: restricting plugin access to administrators only via WordPress role-based controls, disabling the plugin if not actively in use, and implementing Web Application Firewall (WAF) rules to monitor and block suspicious requests to cost estimation and payment form endpoints. Regularly monitor the Patchstack database and ENISA EUVD for confirmation of remediation effectiveness in version 10.3.0.

Share

CVE-2026-24363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy