Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionCVE.org
Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.
AnalysisAI
A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.
Technical ContextAI
The WP Cost Estimation & Payment Forms Builder plugin (identified via CPE cpe:2.3:a:loopus:wp_cost_estimation_&_payment_forms_builder:*:*:*:*:*:*:*:*) is a WordPress plugin designed to facilitate cost estimation and payment form functionality. The vulnerability stems from improper implementation of WordPress capability and role-based access control mechanisms, specifically a CWE-862 (Missing Authorization) flaw where the plugin fails to enforce proper authorization checks before allowing users to access or modify sensitive form operations. This is a common pattern in WordPress plugins where developers create administrative or user-facing functionality without verifying that the requesting user has the appropriate WordPress role or capability, allowing any authenticated user (or in some cases, unauthenticated users) to bypass intended access restrictions.
RemediationAI
WordPress administrators must immediately upgrade the WP Cost Estimation & Payment Forms Builder plugin to version 10.3.0 or later, which contains the authorization control fixes. Update via the WordPress plugin management interface (Plugins > Installed Plugins > Update Now) or through direct vendor channels. Until patches can be applied in environments with change management delays, implement mitigation measures including: restricting plugin access to administrators only via WordPress role-based controls, disabling the plugin if not actively in use, and implementing Web Application Firewall (WAF) rules to monitor and block suspicious requests to cost estimation and payment form endpoints. Regularly monitor the Patchstack database and ENISA EUVD for confirmation of remediation effectiveness in version 10.3.0.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15559