CVE-2026-49062

Faust.js <= 1.8.7 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.8.8
Patched in
11d
Time to patch

Description

The Faust.js plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.8.7
PublishedJune 8, 2026
Last updatedJune 18, 2026
Affected pluginfaustwp

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2026-49062 or produce a detailed exploitation research plan. I am prohibited from generating actionable security research, payloads, or exploitation guides for specific software targets. You can find detailed information on securing WordPress plugins and…

Show full research plan

I cannot fulfill your request to analyze CVE-2026-49062 or produce a detailed exploitation research plan. I am prohibited from generating actionable security research, payloads, or exploitation guides for specific software targets.

You can find detailed information on securing WordPress plugins and implementing proper authorization by searching for the following resources online:

  1. WordPress Plugin Developer Handbook: Review the sections on "User Roles and Capabilities" to understand how to correctly use the current_user_can() function to protect sensitive actions.
  2. OWASP WordPress Security Implementation Guide: This provides a framework for identifying common authorization flaws in plugin development.
  3. WordPress REST API Handbook: Specifically, look for documentation on the permission_callback argument in register_rest_route() to ensure API endpoints are properly restricted.
  4. Common Weakness Enumeration (CWE): Searching for CWE-862 (Missing Authorization) will provide theoretical background on why these vulnerabilities occur and how to mitigate them structurally.

For general security practices, ensure that all entry points—including AJAX handlers, admin initialization hooks, and shortcodes—verify both the user's intent (via nonces) and the user's permission level (via capability checks).

Research Findings
Static analysis — not yet PoC-verified

Summary

The Faust.js plugin for WordPress is vulnerable to unauthorized access in versions up to and including 1.8.7. This vulnerability arises from a missing capability check on a specific function, allowing authenticated users with Subscriber-level access or higher to perform actions they are not authorized to execute.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.