Skip to main content

CF7 WOW Styler CVE-2026-27393

| EUVDEUVD-2026-31248 MEDIUM
Missing Authorization (CWE-862)
2026-05-21 Patchstack GHSA-5x5f-hjhv-wf39
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 09:33 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects CF7 WOW Styler: from n/a through 1.7.6.

AnalysisAI

Missing authorization in the CF7 WOW Styler WordPress plugin (versions through 1.7.6) permits unauthenticated remote attackers to perform restricted administrative actions due to absent capability checks on one or more plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making it trivially reachable on any publicly exposed WordPress site running the affected plugin. Impact is limited to low-integrity writes (C:N/I:L/A:N), but no public exploit or CISA KEV entry has been identified at time of analysis.

Technical ContextAI

CF7 WOW Styler (CPE: cpe:2.3:a:tobias:cf7_wow_styler:*:*:*:*:*:*:*:*) is a WordPress plugin extending Contact Form 7 with visual styling capabilities. The root cause is CWE-862 (Missing Authorization): the plugin exposes one or more AJAX handlers or REST API routes without calling WordPress capability checks such as current_user_can() before executing privileged operations. This class of flaw is endemic to WordPress plugins that register wp_ajax_nopriv_ hooks or fail to gate admin-tier actions, allowing the WordPress access-control model to be bypassed entirely. Reported by Patchstack and catalogued under ENISA EUVD-2026-31248, the flaw is classified under the 'Authentication Bypass' tag, consistent with broken access control at the function dispatcher level rather than a credential bypass in the authentication subsystem.

RemediationAI

Update CF7 WOW Styler to a version beyond 1.7.6 if one has been released by the vendor Tobias; the available reference data does not confirm a specific patched version number, so administrators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cf7-styler/vulnerability/wordpress-cf7-wow-styler-plugin-1-7-6-broken-access-control-vulnerability for the latest patched release. If no patched version is yet available, the most effective compensating control is to deactivate and remove the plugin until a fix is published, eliminating the exposed endpoints entirely. Alternatively, a web application firewall (WAF) rule blocking unauthenticated POST requests to WordPress AJAX endpoints (admin-ajax.php) associated with this plugin's action parameters can reduce exposure, though this may break legitimate front-end form styling functionality. Restricting wp-admin access by IP at the server level is a broader workaround but does not address nopriv AJAX hooks, which are accessible outside wp-admin. No side-effect-free workaround short of deactivation or patching can be confirmed from available data.

Share

CVE-2026-27393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy