Description
Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
Published: 2026-06-26
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Enable CORS plugin for WordPress up to version 2.0.3 contains an unauthenticated backdoor that allows an attacker to execute arbitrary code on the host server. The flaw is rooted in CWE-321, which involves weak encryption or authentication controls. An attacker who can reach the vulnerable endpoint can gain full control of the WordPress installation, potentially compromising all hosted sites and data.

Affected Systems

This vulnerability is limited to the Enable CORS plugin for WordPress developed by Dev Kabir. Versions 2.0.3 and earlier are affected. WordPress sites that have installed the plugin without updating to the latest patched release (starting at 2.0.4) are at risk.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity. No EPSS data is provided, but the unauthenticated nature of the backdoor means that exploitation is likely to be feasible once an attacker discovers the accessible endpoint. The vulnerability is not listed in the CISA KEV catalog. Because the plugin communicates over web requests, the attack vector is likely through HTTP or HTTPS traffic to the site. Prompt patching is strongly advised.

Generated by OpenCVE AI on June 26, 2026 at 16:48 UTC.

Remediation

Vendor Solution

Update the WordPress Enable CORS Plugin to the latest available version (at least 2.0.4).

OpenCVE Recommended Actions

  • Update the Enable CORS plugin to at least version 2.0.4
  • If the plugin is not required, uninstall it from the WordPress installation
  • Keep all WordPress components up to date and regularly scan for known vulnerabilities.

Generated by OpenCVE AI on June 26, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions.
Title WordPress Enable CORS plugin <= 2.0.3 - Backdoor vulnerability
Weaknesses CWE-321
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:38:38.561Z

Reserved: 2026-06-16T09:21:57.268Z

Link: CVE-2026-54833

cve-icon Vulnrichment

Updated: 2026-06-26T15:38:35.412Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key