Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Remote and unauthenticated (AV:N/PR:N/UI:N), but recovering and applying the hard-coded key adds AC:H; key abuse exposes and alters protected data (C:H/I:H) with no availability impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
AnalysisAI
Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to be running the WordPress "Enable CORS" plugin at version 2.0.3 or earlier; the attacker must recover and correctly apply the plugin's hard-coded cryptographic key. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be weighed rather than taken at CVSS face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote, unauthenticated attacker extracts the hard-coded cryptographic key from the publicly distributed Enable CORS plugin code and uses it to forge or validate the protected request material, then sends crafted requests to a target site running version <= 2.0.3 to access or modify data the key was meant to guard. The CVSS AC:H suggests the attacker must satisfy additional conditions (such as correct key derivation and request shaping) for reliable success. … |
| Remediation | No vendor-released patch version was identified at time of analysis; the input provides no fixed version number, only the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/enable-cors/vulnerability/wordpress-enable-cors-plugin-2-0-3-backdoor-vulnerability?_s_id=cve), which should be consulted for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress installations with 'Enable CORS' plugin versions 2.0.3 or earlier; uninstall or disable the plugin immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39677
GHSA-j6v4-3f83-jr3w