CVE-2026-24363
Missing Authorization in WP Cost Estimation Plugin Enables Access Abuse
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_estimation_form | wp_cost_estimation_and_payment_forms_builder | to 10.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Broken Access Control issue that allows unauthenticated users to perform actions requiring higher privileges, which can lead to unauthorized access to sensitive data or functionality.
Such unauthorized access risks violating common security requirements found in standards and regulations like GDPR and HIPAA, which mandate strict access controls to protect personal and sensitive information.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to failure to enforce proper authorization and protect data confidentiality and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-24363 is a Broken Access Control vulnerability in the WP Cost Estimation & Payment Forms Builder WordPress plugin prior to version 10.3.0. It allows unauthenticated users to perform privileged actions due to missing authorization checks.
Detection typically involves monitoring for unauthorized access attempts or suspicious requests targeting the vulnerable plugin endpoints. Since the vulnerability requires no prior authentication, network traffic inspection for unusual POST or GET requests to the plugin's endpoints may help identify exploitation attempts.
Specific commands or signatures for detection are not provided in the available resources. However, users are advised to update the plugin to version 10.3.0 or later to mitigate the vulnerability.
Patchstack offers mitigation rules and automated services that can block attacks targeting this vulnerability, which may include detection capabilities.
Can you explain this vulnerability to me?
CVE-2026-24363 is a high-priority Broken Access Control vulnerability in the WordPress plugin "WP Cost Estimation & Payment Forms Builder" affecting versions prior to 10.3.0.
The vulnerability arises from missing authorization, authentication, or nonce token checks within certain plugin functions, which allows unauthenticated users to perform actions that normally require higher privileges.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 7.5, indicating a significant security risk.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass access controls and perform privileged actions on affected WordPress sites using the vulnerable plugin.
Because no prior authentication is required, attackers can exploit this flaw remotely and indiscriminately, potentially compromising thousands of websites.
Such exploitation can lead to unauthorized changes, data manipulation, or other malicious activities that compromise the security and integrity of the affected site.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Cost Estimation & Payment Forms Builder plugin to version 10.3.0 or later, where the vulnerability has been patched.
For users unable to update immediately, Patchstack provides mitigation rules that block attacks targeting this flaw.
Additionally, users can enable auto-updates for vulnerable plugins through Patchstackβs platform to ensure timely protection.
Prompt patching is emphasized due to the high risk and potential for mass exploitation.