Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated HTTP attack (AV:N/PR:N/UI:N); AC:H reflects undisclosed preconditions noted by Patchstack; broken auth on a security plugin yields full C/I/A impact on the WordPress site.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.
AnalysisAI
Authentication bypass in the CloudSecure WP Security WordPress plugin (versions ≤ 1.4.7) allows remote unauthenticated attackers to subvert the plugin's authentication controls, leading to high impact on confidentiality, integrity, and availability of affected WordPress sites. The flaw is tracked by Patchstack and ENISA EUVD as a broken authentication issue (CWE-288) with a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
CloudSecure WP Security is a third-party security plugin for WordPress distributed by xserver (per the CPE cpe:2.3:a:xserver:cloudsecure_wp_security). The underlying weakness is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning the plugin exposes a code path that reaches privileged functionality without going through the intended authentication routine. In WordPress plugins this commonly manifests as a REST route, AJAX action (wp_ajax_nopriv_*), or admin-post handler that omits a capability check, nonce verification, or current_user_can() gate, allowing requests over standard HTTP(S) to bypass login. Because the plugin's stated purpose is to harden security, a broken-authentication flaw in it directly undermines protections WordPress operators expect from it.
RemediationAI
Patch available per vendor advisory - administrators should upgrade CloudSecure WP Security to the version released after 1.4.7 as documented at https://patchstack.com/database/wordpress/plugin/cloudsecure-wp-security/vulnerability/wordpress-cloudsecure-wp-security-plugin-1-4-7-broken-authentication-vulnerability (the exact fixed version was not provided in the input and should be confirmed against the Patchstack page or the plugin changelog before deployment). Until the update is applied, compensating controls include deactivating the CloudSecure WP Security plugin entirely (trade-off: loses whatever hardening the plugin provides), restricting access to /wp-admin, /wp-json/ and admin-ajax.php endpoints to known administrative IPs via a WAF or reverse proxy (trade-off: breaks legitimate REST/AJAX traffic from arbitrary clients and may interfere with other plugins), and enabling a virtual-patch rule from Patchstack or another WordPress WAF that targets this CVE. Audit administrator accounts, active sessions, and recent wp_options/user changes for signs of pre-patch abuse after upgrading.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36814
GHSA-3ff9-cff4-995j