Description
Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control permitting unauthorized access to forms and data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a missing authorization check in the WP Cost Estimation & Payment Forms Builder plugin, allowing users with lower privileges than intended administrators to read, modify, or delete payment form data. This flaw is represented by CWE‑862 and can expose financial information and disrupt processes that rely on the integrity of the payment forms. The potential impact is limited to the data managed by the plugin but can result in significant loss of confidentiality and data integrity if an attacker leverages the exposed access.

Affected Systems

All installations of the loopus WP Cost Estimation & Payment Forms Builder plugin with a version number earlier than 10.3.0 are affected. Sites that have deployed the plugin without strict role‑based access restrictions will be vulnerable to this flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates a high potential impact, though the EPSS score of less than 1% suggests that exploitation is currently uncommon. The plugin is not listed in the CISA KEV catalog. The likely attack vector is web access to the WordPress site where an attacker can submit requests that bypass the intended role checks; this inference is based on the description of a missing authorization defect. If the site's configuration allows permissive access, the risk is high, but the absence of such permissive settings reduces the likelihood of exploitation.

Generated by OpenCVE AI on March 26, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 10.3.0 or later to remove the broken access control issue
  • Verify that form access settings restrict visibility and editing rights to authorized administrator roles

Generated by OpenCVE AI on March 26, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Loopus
Loopus wp Cost Estimation & Payment Forms Builder
Wordpress
Wordpress wordpress
Vendors & Products Loopus
Loopus wp Cost Estimation & Payment Forms Builder
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.
Title WordPress WP Cost Estimation & Payment Forms Builder plugin < 10.3.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Loopus Wp Cost Estimation & Payment Forms Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.499Z

Reserved: 2026-01-22T14:42:32.872Z

Link: CVE-2026-24363

cve-icon Vulnrichment

Updated: 2026-03-26T19:44:44.153Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:37.110

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-24363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:30Z

Weaknesses