CVE-2026-49062
Deferred Deferred - Pending Action

Authentication Bypass in Faust.Js via Alternate Path

Vulnerability report for CVE-2026-49062, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack faust.js From 1.0.0 (inc) to 1.8.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49062 is a high-priority authentication bypass vulnerability in the WordPress Faust.js plugin versions 1.8.7 and earlier. It allows attackers with low-level access, such as a Subscriber role, to exploit the password recovery mechanism and gain unauthorized administrative access to the website.

This flaw is categorized under OWASP Top 10 A7: Identification and Authentication Failures, indicating a serious weakness in the authentication process.

Impact Analysis

This vulnerability can have severe impacts including unauthorized administrative access to your WordPress website by attackers with initially low privileges.

  • Attackers can perform actions normally restricted to admins, potentially compromising the entire site.
  • It poses a high risk of mass exploitation campaigns targeting thousands of websites using the vulnerable plugin.
  • Such unauthorized access can lead to data breaches, site defacement, or further malware installation.
Mitigation Strategies

To mitigate the vulnerability in the WordPress Faust.js Plugin (versions 1.8.7 and earlier), the immediate recommended step is to update the plugin to version 1.8.8 or later.

If updating is not immediately possible, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until the update can be applied.

Additionally, users should seek assistance from their hosting provider or developer to implement temporary protections or mitigations.

Compliance Impact

The vulnerability in the WordPress Faust.js Plugin (CVE-2026-49062) allows attackers with low-level access to bypass authentication and potentially gain admin privileges. This type of broken authentication flaw can lead to unauthorized access to sensitive data and administrative functions.

Such unauthorized access risks violating common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Failure to prevent unauthorized access could result in data breaches, non-compliance penalties, and damage to organizational reputation.

Therefore, organizations using affected versions of Faust.js must promptly apply patches or mitigations to maintain compliance with these regulations.

Detection Guidance

The vulnerability in the WordPress Faust.js Plugin (versions 1.8.7 and earlier) allows low-privileged users to bypass authentication and gain higher privileges. Detection typically involves monitoring for unusual privilege escalations or unauthorized access attempts.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, but specific detection commands or network signatures are not detailed in the provided resources.

As a general approach, you can monitor your web server logs for suspicious requests that attempt to exploit authentication mechanisms related to Faust.js, or check for unexpected admin-level actions performed by low-privileged users.

Since no explicit commands or detection scripts are provided in the available information, it is recommended to update the plugin to version 1.8.8 or later and consult your hosting provider or developer for custom detection rules.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart