Description
Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.
Published: 2026-06-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability presents an unauthenticated broken authentication flaw that allows an attacker to bypass login checks in the CloudSecure WP Security plugin, enabling the execution of privileged actions on a WordPress site without valid credentials. This weakness is identified as CWE-288, which signifies improper authentication logic. The flaw could result in full control of the WordPress installation, compromising confidentiality, integrity, and availability of site data.

Affected Systems

XServer’s CloudSecure WP Security plugin for WordPress, in all releases up to and including version 1.4.7. WordPress installations that have not applied the 1.4.8 or later update remain vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while an EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog, but attackers could reach the vulnerability through the WordPress web interface, potentially gaining full site compromise if the plugin’s authentication checks are successfully bypassed.

Generated by OpenCVE AI on June 16, 2026 at 22:23 UTC.

Remediation

Vendor Solution

Update the WordPress CloudSecure WP Security Plugin to the latest available version (at least 1.4.8).

OpenCVE Recommended Actions

  • Update CloudSecure WP Security to version 1.4.8 or later.
  • Verify that the plugin’s configuration enforces proper authentication and does not expose administrative endpoints to anonymous users.
  • Monitor login activity and enforce rate limiting or two‑factor authentication for administrative accounts to reduce the impact of any residual authentication weaknesses.

Generated by OpenCVE AI on June 16, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.
Title WordPress CloudSecure WP Security plugin <= 1.4.7 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:30:02.067Z

Reserved: 2026-04-27T10:39:10.016Z

Link: CVE-2026-42411

cve-icon Vulnrichment

Updated: 2026-06-15T22:29:58.167Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:54.357

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel