CVE-2026-49062
Received Received - Intake
Authentication Bypass in Faust.Js via Alternate Path

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-49062
EUVD
EUVD-2026-36721
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack faust.js From 1.0.0 (inc) to 1.8.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49062 is a high-priority authentication bypass vulnerability in the WordPress Faust.js plugin versions 1.8.7 and earlier. It allows attackers with low-level access, such as a Subscriber role, to exploit the password recovery mechanism and gain unauthorized administrative access to the website.

This flaw is categorized under OWASP Top 10 A7: Identification and Authentication Failures, indicating a serious weakness in the authentication process.

Impact Analysis

This vulnerability can have severe impacts including unauthorized administrative access to your WordPress website by attackers with initially low privileges.

  • Attackers can perform actions normally restricted to admins, potentially compromising the entire site.
  • It poses a high risk of mass exploitation campaigns targeting thousands of websites using the vulnerable plugin.
  • Such unauthorized access can lead to data breaches, site defacement, or further malware installation.
Mitigation Strategies

To mitigate the vulnerability in the WordPress Faust.js Plugin (versions 1.8.7 and earlier), the immediate recommended step is to update the plugin to version 1.8.8 or later.

If updating is not immediately possible, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until the update can be applied.

Additionally, users should seek assistance from their hosting provider or developer to implement temporary protections or mitigations.

Compliance Impact

The vulnerability in the WordPress Faust.js Plugin (CVE-2026-49062) allows attackers with low-level access to bypass authentication and potentially gain admin privileges. This type of broken authentication flaw can lead to unauthorized access to sensitive data and administrative functions.

Such unauthorized access risks violating common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Failure to prevent unauthorized access could result in data breaches, non-compliance penalties, and damage to organizational reputation.

Therefore, organizations using affected versions of Faust.js must promptly apply patches or mitigations to maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart