Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible WordPress plugin endpoint, no auth required per PR:N; scope unchanged and only limited integrity write impact confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
AnalysisAI
Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond the plugin being installed and active on a WordPress site - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any default installation of ez Form Calculator Premium up to 2.14.1.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) is supported by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network-reachable, low-complexity, unauthenticated exploitation with limited integrity impact and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running ez Form Calculator Premium and sends a crafted HTTP POST request - likely to a WordPress AJAX endpoint or REST API route exposed by the plugin - that invokes a restricted action without triggering any authorization check. The attacker can then modify form settings, inject content into form definitions, or manipulate submission handling logic, achieving unauthorized write access to plugin-controlled data. … |
| Remediation | Update ez Form Calculator Premium to a version beyond 2.14.1.2 once the vendor releases a patched build - no specific fixed version was confirmed in the available data, so site owners should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ez-form-calculator-premium/vulnerability/wordpress-ez-form-calculator-premium-plugin-2-14-1-2-broken-access-control-vulnerability and the plugin's official changelog for a patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41306
GHSA-vv3p-3x4h-5p84