Authentication Bypass in WP Engine Faust.js Password Recovery

CVE-2026-49062 represents a critical authentication bypass vulnerability in WP Engine's Faust.js library (versions through 1.8.7) that exploits an alternate path in the password recovery mechanism. This vulnerability allows attackers to circumvent standard authentication controls by leveraging an unintended channel in the password reset flow, effectively granting unauthorized access to user accounts. Organizations using affected versions of Faust.js—particularly those building headless WordPress applications—face immediate risk of account takeover and unauthorized data access. The high CVSS score of 8.8 underscores the severity, as attackers can exploit this flaw with minimal complexity to compromise user authentication integrity.

While this CVE lacks explicit MITRE ATT&CK technique mapping, Casky.ai's 754 security skills leverage Claude's extended reasoning to identify the underlying attack patterns associated with authentication bypass vulnerabilities. Practitioners using Casky would detect indicators aligned with credential access techniques—specifically those involving exploitation of authentication mechanisms and account recovery processes. The platform's AI-driven analysis would flag suspicious password recovery requests that deviate from normal patterns, detect multiple failed authentication attempts followed by successful account access via alternate channels, and identify anomalous account modifications during recovery windows. Security teams would receive findings highlighting weak cryptographic validation in token generation, insufficient rate limiting on recovery endpoints, and insufficient verification of user identity during password resets—enabling them to remediate before exploitation occurs.