Skip to main content

Enable CORS EUVDEUVD-2026-39677

| CVE-2026-54833 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-26 audit@patchstack.com GHSA-j6v4-3f83-jr3w
7.4
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

Remote and unauthenticated (AV:N/PR:N/UI:N), but recovering and applying the hard-coded key adds AC:H; key abuse exposes and alters protected data (C:H/I:H) with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:35 vuln.today

DescriptionCVE.org

Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.

AnalysisAI

Unauthenticated backdoor in the WordPress "Enable CORS" plugin (versions <= 2.0.3) lets remote attackers leverage a hard-coded cryptographic key (CWE-321) to bypass access controls and read or alter protected data without any credentials. Reported by Patchstack and tagged as Information Disclosure, the issue carries a CVSS 7.4; no public exploit and no CISA KEV listing exist at the time of analysis, and despite the network attack vector the CVSS marks high attack complexity, indicating exploitation is non-trivial.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Enable CORS <= 2.0.3
Delivery
Extract hard-coded key from plugin code
Exploit
Forge key-validated request to plugin endpoint
Execution
Bypass access control via backdoor
Impact
Read or alter protected data

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be running the WordPress "Enable CORS" plugin at version 2.0.3 or earlier; the attacker must recover and correctly apply the plugin's hard-coded cryptographic key. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed rather than taken at CVSS face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker extracts the hard-coded cryptographic key from the publicly distributed Enable CORS plugin code and uses it to forge or validate the protected request material, then sends crafted requests to a target site running version <= 2.0.3 to access or modify data the key was meant to guard. The CVSS AC:H suggests the attacker must satisfy additional conditions (such as correct key derivation and request shaping) for reliable success. …
Remediation No vendor-released patch version was identified at time of analysis; the input provides no fixed version number, only the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/enable-cors/vulnerability/wordpress-enable-cors-plugin-2-0-3-backdoor-vulnerability?_s_id=cve), which should be consulted for an updated release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress installations with 'Enable CORS' plugin versions 2.0.3 or earlier; uninstall or disable the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy