Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.2.3.
AnalysisAI
Missing authorization in Brainstorm Force CartFlows WordPress plugin versions up to 2.2.3 allows authenticated attackers to modify data through incorrectly configured access control, enabling unauthorized changes to plugin settings or resources. CVSS 4.3 (low severity) with EPSS 0.02% indicates limited real-world exploitation probability; the vulnerability requires prior authentication and does not enable code execution or confidentiality breaches.
Technical ContextAI
CartFlows is a WordPress e-commerce funnel builder plugin developed by Brainstorm Force, distributed via the WordPress plugin marketplace and identified by CPE cpe:2.3:a:brainstorm_force:cartflows:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-862 (Missing Authorization), a classic access control flaw where the application fails to enforce proper permission checks before allowing authenticated users to perform sensitive operations. In WordPress plugins, this typically manifests as missing nonce verification, inadequate capability checks (e.g., using 'manage_options' when role-based restrictions are required), or direct database modifications without proper ACL enforcement. CartFlows' improper access control allows authenticated users with lower privileges to access or modify resources intended for higher-privilege roles, compromising the plugin's security posture within WordPress's multi-role ecosystem.
RemediationAI
Update CartFlows to a patched version newer than 2.2.3 as released by Brainstorm Force. Users should navigate to WordPress Dashboard → Plugins → Installed Plugins and check for available updates, or manually download the latest CartFlows release from https://patchstack.com/database/Wordpress/Plugin/cartflows/. Additionally, audit WordPress user roles and capabilities to ensure non-administrator users do not have unnecessary access to CartFlows settings; restrict the 'manage_cartflows' capability (or equivalent) to administrators only via WordPress capability checks. Consult the Brainstorm Force security advisory and NIST CVE entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39477) for patch version details and deployment guidance.
The Funnel Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the a
The Funnel Builder by CartFlows - Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not saniti
The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low at
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force US LLC CartFlows Pro allows Cross Site Request Forge
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20144
GHSA-8f6m-3c4p-c477