CVE-2026-49062

Vulnerability

The vulnerability is an Authentication Bypass Using an Alternate Path or Channel in the password recovery mechanism of the WordPress plugin Faust.Js, affecting versions from n/a through 1.8.7 [1]. This allows an attacker to bypass authentication checks during the password reset flow.

Exploitation

An attacker can exploit this vulnerability without requiring prior authentication or special privileges, as the password recovery endpoint is publicly accessible [1]. By crafting a specific request that leverages an alternate path or channel, the attacker can trigger the vulnerability to perform actions normally restricted to higher privileged users. The attack does not require user interaction and can be carried out remotely.

Impact

Successful exploitation enables the attacker to execute actions that should only be possible for high-privilege accounts, such as gaining administrative access to the WordPress site [1]. This could lead to full site compromise, including data theft, malware injection, and defacement.

Mitigation

Users should immediately update the Faust.Js plugin to version 1.8.8 or later, which contains the fix [1]. For sites that cannot be updated promptly, applying the mitigation rule provided by Patchstack (e.g., blocking suspicious password recovery requests) is advised [1]. Hosting providers or web developers can assist with implementing workarounds until the update is applied.