CVE-2026-42411: WordPress CloudSecure WP Security plugin <= 1.4.7 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in CloudSecure WP Security <= 1.4.7 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken authentication vulnerability affects the CloudSecure WP Security plugin for WordPress, versions 1.4.7 and earlier. The flaw is reachable over the network without any credentials, though exploitation requires meeting certain environmental conditions due to a high attack complexity rating. Successful exploitation gives an attacker full read, write, and availability impact over the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-42411 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built images that bundle the CloudSecure WP Security plugin.
AvailableHarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it against each customer org's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer environment based on configured policy rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment XServer ships a remediated version of CloudSecure WP Security.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress instance via HTTP or HTTPS.
- AuthenticationNot required
No account or credentials of any kind are needed to attempt exploitation; the vulnerability is fully unauthenticated.
- Victim interactionNot required
The attacker does not need to trick or involve any user to carry out the attack.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for external factors such as race conditions, specific server state, or other environmental prerequisites that are not fully under their control.
Blast Radius
- A successful attacker reads arbitrary data from the WordPress installation, including stored credentials, session tokens, and private post content.
- The attacker can write or modify data, including creating or altering user accounts, posts, and plugin configuration.
- The attacker can disrupt availability of the WordPress site, causing denial of service to legitimate visitors and administrators.
- Because all three impact dimensions are rated High, a complete compromise of the affected WordPress instance is within scope of a successful exploit.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored through every ingest cycle because no upstream fix currently exists. For environments running container images that bundle CloudSecure WP Security 1.4.7 or earlier, HarborGuard can surface the affected image layer and flag it in the pipeline immediately. As a compensating control while waiting for a patch, consider applying network-policy rules to restrict public HTTP access to the WordPress admin and plugin endpoints, and evaluate whether the plugin can be disabled or feature-flag gated at the application layer. The moment XServer publishes a remediated version, HarborGuard will make a patched-image rebuild available; for customers who have opted into auto-remediation, that rebuild triggers a regression test run and a PR opened against affected workloads automatically.
- XServer / CloudSecure WP Security≤ 1.4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H