Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable plugin endpoint (AV:N), no special timing or configuration (AC:L), requires a low-privileged WordPress account to invoke the recovery path (PR:L), no user interaction, and full account-takeover yields C:H/I:H/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.
This issue affects Faust.Js: from n/a through 1.8.7.
AnalysisAI
Authentication bypass in WP Engine's Faust.js (faustwp) plugin through version 1.8.7 enables password recovery exploitation, allowing an attacker with low privileges to abuse an alternate authentication path and take over accounts. The flaw maps to CWE-288 and carries a CVSS 3.1 score of 8.8 (high) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but the low attack complexity and network vector make this a high-priority concern for WordPress headless deployments.
Technical ContextAI
Faust.js is WP Engine's headless WordPress framework (faustwp plugin) used to decouple a Next.js/React front end from a WordPress back end via GraphQL. The CWE-288 classification (Authentication Bypass Using an Alternate Path or Channel) indicates that a secondary code path - here, the password recovery flow - does not enforce the same authentication or authorization checks as the primary login path, letting attackers reach authenticated functionality by routing around the intended gatekeeping. The affected CPE cpe:2.3:a:wp_engine:faust.js covers all versions of the plugin up to and including 1.8.7.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/faustwp/vulnerability/wordpress-faust-js-plugin-1-8-7-broken-authentication-vulnerability and upgrade Faust.js to the next release above 1.8.7 once the vendor publishes it. Until a fixed version is verified, compensating controls include restricting access to the WordPress password-recovery and Faust authentication endpoints (e.g., /wp-login.php?action=lostpassword and the faustwp REST/GraphQL auth routes) via WAF rules or IP allowlists, disabling Faust's authentication features if not strictly required (trade-off: front-end users lose self-service password reset), and monitoring WordPress audit logs for unexpected password-reset emails or privilege changes. Avoid disabling the plugin outright if it is fronting a production headless site, as that will break the React/Next.js front end.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36721
GHSA-j83q-r8xw-cfm6