Skip to main content

Faust.js CVE-2026-49062

| EUVDEUVD-2026-36721 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-j83q-r8xw-cfm6
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable plugin endpoint (AV:N), no special timing or configuration (AC:L), requires a low-privileged WordPress account to invoke the recovery path (PR:L), no user interaction, and full account-takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 14:32 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.

This issue affects Faust.Js: from n/a through 1.8.7.

AnalysisAI

Authentication bypass in WP Engine's Faust.js (faustwp) plugin through version 1.8.7 enables password recovery exploitation, allowing an attacker with low privileges to abuse an alternate authentication path and take over accounts. The flaw maps to CWE-288 and carries a CVSS 3.1 score of 8.8 (high) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the low attack complexity and network vector make this a high-priority concern for WordPress headless deployments.

Technical ContextAI

Faust.js is WP Engine's headless WordPress framework (faustwp plugin) used to decouple a Next.js/React front end from a WordPress back end via GraphQL. The CWE-288 classification (Authentication Bypass Using an Alternate Path or Channel) indicates that a secondary code path - here, the password recovery flow - does not enforce the same authentication or authorization checks as the primary login path, letting attackers reach authenticated functionality by routing around the intended gatekeeping. The affected CPE cpe:2.3:a:wp_engine:faust.js covers all versions of the plugin up to and including 1.8.7.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/faustwp/vulnerability/wordpress-faust-js-plugin-1-8-7-broken-authentication-vulnerability and upgrade Faust.js to the next release above 1.8.7 once the vendor publishes it. Until a fixed version is verified, compensating controls include restricting access to the WordPress password-recovery and Faust authentication endpoints (e.g., /wp-login.php?action=lostpassword and the faustwp REST/GraphQL auth routes) via WAF rules or IP allowlists, disabling Faust's authentication features if not strictly required (trade-off: front-end users lose self-service password reset), and monitoring WordPress audit logs for unexpected password-reset emails or privilege changes. Avoid disabling the plugin outright if it is fronting a production headless site, as that will break the React/Next.js front end.

Share

CVE-2026-49062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy