How is CVE-2026-49062 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; local or physical access is not required. Authentication (required): A low-privilege account is sufficient; the attacker does not need administrator credentials, but some valid account on the target site is needed. Victim interaction (not-required): No action from any other user or administrator is needed to complete the attack. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental requirements to satisfy.

What is the impact of CVE-2026-49062?

Reads any content accessible to an authenticated session, including private posts, user data, and stored credentials or tokens. Modifies site content, user records, plugin settings, or any persisted data writable by an authenticated user. Disrupts site availability by altering or deleting critical configuration, content, or user account data. Effective authentication bypass means the attacker can escalate the scope of damage across the entire WordPress installation without further barriers.

Back to search

HIGHCVE-2026-49062Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49062: WordPress Faust.js plugin <= 1.8.7 - Broken Authentication vulnerability

Q: What is CVE-2026-49062?

An authentication bypass vulnerability affects the WP Engine Faust.js WordPress plugin at version 1.8.7 and earlier. The flaw is reachable over the network and requires only a low-privilege account, meaning an attacker who can log in with any standard user credentials can exploit a password recovery channel to bypass authentication controls entirely. Successful exploitation gives the attacker full read, write, and availability control over the affected installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-49062 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment WP Engine ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once an upstream fix exists.

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects the WP Engine Faust.js WordPress plugin at version 1.8.7 and earlier. The flaw is reachable over the network and requires only a low-privilege account, meaning an attacker who can log in with any standard user credentials can exploit a password recovery channel to bypass authentication controls entirely. Successful exploitation gives the attacker full read, write, and availability control over the affected installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-49062 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and mirrored registries. Coverage extends to custom-built images that bundle the Faust.js plugin, not only images pulled from public sources.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect actual exposure. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment WP Engine ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once an upstream fix exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; local or physical access is not required.
AuthenticationRequired
A low-privilege account is sufficient; the attacker does not need administrator credentials, but some valid account on the target site is needed.
Victim interactionNot required
No action from any other user or administrator is needed to complete the attack.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental requirements to satisfy.

Blast Radius

Reads any content accessible to an authenticated session, including private posts, user data, and stored credentials or tokens.
Modifies site content, user records, plugin settings, or any persisted data writable by an authenticated user.
Disrupts site availability by altering or deleting critical configuration, content, or user account data.
Effective authentication bypass means the attacker can escalate the scope of damage across the entire WordPress installation without further barriers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle against images that include the Faust.js plugin at version 1.8.7 or earlier. Because no upstream fix exists at this time, HarborGuard cannot yet offer a patched-image rebuild, but the advisory is re-evaluated automatically each cycle so the rebuild will become available without delay once WP Engine publishes a remediated version. In the interim, compensating controls are worth considering: network-policy rules that restrict public access to WordPress authentication and password-recovery endpoints, egress filtering to limit what a compromised container can reach, and disabling or gating the Faust.js password-recovery flow via feature-flag or plugin configuration if the application does not depend on it. For customers with auto-remediation enabled, the full rebuild-regression-PR pipeline will activate automatically when the upstream patch is available.

See how HarborGuard automates this

Affected packages

WP Engine / Faust.js
≤ 1.8.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified