Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.

This issue affects Faust.Js: from n/a through 1.8.7.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Faust.js plugin contains an authentication bypass that allows an attacker to use the password recovery channel to reset a user’s password without proper authorization. By triggering this flaw, an adversary can gain administrative access to the website, compromising confidentiality, integrity, and availability. The weakness is identified as CWE‑288, reflecting an improper enforcement of authorization controls.

Affected Systems

Sites running WP Engine’s Faust.js plugin through version 1.8.7 are affected. Any WordPress installation that has not applied the 1.8.8 upgrade or later is vulnerable. The plugin is included in /wp-content/plugins/faustjs or similar paths and is commonly deployed on WordPress sites managed by WP Engine or self‑hosted WordPress sites.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity authentication bypass. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, implying no confirmed exploits yet. However, because the attack can be launched from the public password reset form, exploitation is straightforward for an attacker who can target the site’s recovery endpoint; the likely attack vector is a web request to the password recovery page.

Generated by OpenCVE AI on June 16, 2026 at 01:52 UTC.

Remediation

Vendor Solution

Update the WordPress Faust.js Plugin to the latest available version (at least 1.8.8).

OpenCVE Recommended Actions

  • Apply the latest Faust.js plugin update (at least version 1.8.8).
  • Block or restrict unauthenticated access to the password recovery endpoint until the update can be applied, such as by adding a firewall rule or disabling the feature via WordPress settings.
  • Implement rate limiting or CAPTCHA on the password reset form and monitor for abnormal reset activity to reduce brute‑force attempts.

Generated by OpenCVE AI on June 16, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.
Title WordPress Faust.js plugin <= 1.8.7 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T14:48:17.589Z

Reserved: 2026-05-27T10:26:54.457Z

Link: CVE-2026-49062

cve-icon Vulnrichment

Updated: 2026-06-15T14:48:05.972Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:35.727

Modified: 2026-06-15T20:42:32.707

Link: CVE-2026-49062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:00:04Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel