Skip to main content

ez Form Calculator Premium EUVDEUVD-2026-41306

| CVE-2026-57750 MEDIUM
Missing Authorization (CWE-862)
2026-07-02 Patchstack GHSA-vv3p-3x4h-5p84
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible WordPress plugin endpoint, no auth required per PR:N; scope unchanged and only limited integrity write impact confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:30 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.

AnalysisAI

Broken access control in ez Form Calculator Premium WordPress plugin (versions up to and including 2.14.1.2) permits unauthenticated remote attackers to perform restricted plugin actions, resulting in unauthorized integrity modifications. Disclosed by Patchstack and classified under CWE-862 (Missing Authorization), the flaw requires no credentials, no user interaction, and no special configuration, lowering the exploitation barrier significantly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running ez Form Calculator Premium
Delivery
Send unauthenticated HTTP request to unprotected plugin endpoint
Exploit
Bypass missing authorization check
Execution
Execute restricted plugin write operation
Impact
Modify form configuration or data

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond the plugin being installed and active on a WordPress site - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any default installation of ez Form Calculator Premium up to 2.14.1.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) is supported by the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network-reachable, low-complexity, unauthenticated exploitation with limited integrity impact and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running ez Form Calculator Premium and sends a crafted HTTP POST request - likely to a WordPress AJAX endpoint or REST API route exposed by the plugin - that invokes a restricted action without triggering any authorization check. The attacker can then modify form settings, inject content into form definitions, or manipulate submission handling logic, achieving unauthorized write access to plugin-controlled data. …
Remediation Update ez Form Calculator Premium to a version beyond 2.14.1.2 once the vendor releases a patched build - no specific fixed version was confirmed in the available data, so site owners should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ez-form-calculator-premium/vulnerability/wordpress-ez-form-calculator-premium-plugin-2-14-1-2-broken-access-control-vulnerability and the plugin's official changelog for a patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy