Skip to main content

CloudSecure WP Security CVE-2026-42411

| EUVDEUVD-2026-36814 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-3ff9-cff4-995j
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote unauthenticated HTTP attack (AV:N/PR:N/UI:N); AC:H reflects undisclosed preconditions noted by Patchstack; broken auth on a security plugin yields full C/I/A impact on the WordPress site.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:03 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.

AnalysisAI

Authentication bypass in the CloudSecure WP Security WordPress plugin (versions ≤ 1.4.7) allows remote unauthenticated attackers to subvert the plugin's authentication controls, leading to high impact on confidentiality, integrity, and availability of affected WordPress sites. The flaw is tracked by Patchstack and ENISA EUVD as a broken authentication issue (CWE-288) with a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

CloudSecure WP Security is a third-party security plugin for WordPress distributed by xserver (per the CPE cpe:2.3:a:xserver:cloudsecure_wp_security). The underlying weakness is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning the plugin exposes a code path that reaches privileged functionality without going through the intended authentication routine. In WordPress plugins this commonly manifests as a REST route, AJAX action (wp_ajax_nopriv_*), or admin-post handler that omits a capability check, nonce verification, or current_user_can() gate, allowing requests over standard HTTP(S) to bypass login. Because the plugin's stated purpose is to harden security, a broken-authentication flaw in it directly undermines protections WordPress operators expect from it.

RemediationAI

Patch available per vendor advisory - administrators should upgrade CloudSecure WP Security to the version released after 1.4.7 as documented at https://patchstack.com/database/wordpress/plugin/cloudsecure-wp-security/vulnerability/wordpress-cloudsecure-wp-security-plugin-1-4-7-broken-authentication-vulnerability (the exact fixed version was not provided in the input and should be confirmed against the Patchstack page or the plugin changelog before deployment). Until the update is applied, compensating controls include deactivating the CloudSecure WP Security plugin entirely (trade-off: loses whatever hardening the plugin provides), restricting access to /wp-admin, /wp-json/ and admin-ajax.php endpoints to known administrative IPs via a WAF or reverse proxy (trade-off: breaks legitimate REST/AJAX traffic from arbitrary clients and may interfere with other plugins), and enabling a virtual-patch rule from Patchstack or another WordPress WAF that targets this CVE. Audit administrator accounts, active sessions, and recent wp_options/user changes for signs of pre-patch abuse after upgrading.

Share

CVE-2026-42411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy