Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects CF7 WOW Styler: from n/a through 1.7.6.
AnalysisAI
Missing authorization in the CF7 WOW Styler WordPress plugin (versions through 1.7.6) permits unauthenticated remote attackers to perform restricted administrative actions due to absent capability checks on one or more plugin endpoints. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and no user interaction, making it trivially reachable on any publicly exposed WordPress site running the affected plugin. Impact is limited to low-integrity writes (C:N/I:L/A:N), but no public exploit or CISA KEV entry has been identified at time of analysis.
Technical ContextAI
CF7 WOW Styler (CPE: cpe:2.3:a:tobias:cf7_wow_styler:*:*:*:*:*:*:*:*) is a WordPress plugin extending Contact Form 7 with visual styling capabilities. The root cause is CWE-862 (Missing Authorization): the plugin exposes one or more AJAX handlers or REST API routes without calling WordPress capability checks such as current_user_can() before executing privileged operations. This class of flaw is endemic to WordPress plugins that register wp_ajax_nopriv_ hooks or fail to gate admin-tier actions, allowing the WordPress access-control model to be bypassed entirely. Reported by Patchstack and catalogued under ENISA EUVD-2026-31248, the flaw is classified under the 'Authentication Bypass' tag, consistent with broken access control at the function dispatcher level rather than a credential bypass in the authentication subsystem.
RemediationAI
Update CF7 WOW Styler to a version beyond 1.7.6 if one has been released by the vendor Tobias; the available reference data does not confirm a specific patched version number, so administrators should check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/cf7-styler/vulnerability/wordpress-cf7-wow-styler-plugin-1-7-6-broken-access-control-vulnerability for the latest patched release. If no patched version is yet available, the most effective compensating control is to deactivate and remove the plugin until a fix is published, eliminating the exposed endpoints entirely. Alternatively, a web application firewall (WAF) rule blocking unauthenticated POST requests to WordPress AJAX endpoints (admin-ajax.php) associated with this plugin's action parameters can reduce exposure, though this may break legitimate front-end form styling functionality. Restricting wp-admin access by IP at the server level is a broader workaround but does not address nopriv AJAX hooks, which are accessible outside wp-admin. No side-effect-free workaround short of deactivation or patching can be confirmed from available data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31248
GHSA-5x5f-hjhv-wf39