{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24363", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.872Z", "datePublished": "2026-03-25T16:14:31.370Z", "dateUpdated": "2026-03-25T16:14:31.370Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "WP_Estimation_Form", "product": "WP Cost Estimation & Payment Forms Builder", "vendor": "loopus", "versions": [{"changes": [{"at": "10.3.0", "status": "unaffected"}], "lessThanOrEqual": "< 10.3.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:13.761Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.</p>"}], "value": "Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:31.370Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/WP_Estimation_Form/vulnerability/wordpress-wp-cost-estimation-payment-forms-builder-plugin-10-3-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Cost Estimation & Payment Forms Builder plugin < 10.3.0 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0."}], "id": "CVE-2026-24363", "lastModified": "2026-03-25T17:16:37.110", "metrics": {}, "published": "2026-03-25T17:16:37.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/WP_Estimation_Form/vulnerability/wordpress-wp-cost-estimation-payment-forms-builder-plugin-10-3-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:44:39.949095+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version 10.3.0 or later. This is the officially recommended fix.", "Ensure that only trusted administrators have access to the plugin\u2019s configuration and form management pages. This limits the impact if any access control gaps persist.", "Review other WordPress plugins for similar authorization issues and apply available updates."], "summary": {"action": "Patch Now", "impact": "Unauthorized administrative access"}, "threat_synthesis": {"affected_systems": "Sites running the Loopus WP Cost Estimation & Payment Forms Builder plugin on WordPress with any version earlier than 10.3.0 are affected. This includes installations that have not been updated to the latest release, regardless of other configuration settings.", "description_and_impact": "The vulnerability is a missing authorization flaw in the Loopus WP Cost Estimation & Payment Forms Builder plugin that allows attackers to bypass configured access controls. In effect, an attacker could access or modify sensitive plugin data, generate or alter payment forms, and potentially harvest user information. This represents a direct compromise of data confidentiality and integrity for the site.", "risk_and_exploitability": "The CVSS score is not listed in the provided data, and no EPSS or KEV information is available. The likely attack vector is through the web interface where a user with sufficient credentials or even an unauthenticated attacker could submit requests that are not properly checked for permissions. While precise exploitation details are not disclosed, the potential for unauthorized access to administrative functions makes this a significant risk for affected sites."}}}}, "created": "2026-03-25T21:34:51.628993+00:00", "updated": "2026-03-25T21:34:51.629016+00:00", "vendors": []}