{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39606", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:22.616Z", "dateUpdated": "2026-04-08T08:30:22.616Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bizreview", "product": "BizReview", "vendor": "Foysal Imran", "versions": [{"lessThanOrEqual": "1.5.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:33.485Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects BizReview: from n/a through <= 1.5.13.</p>"}], "value": "Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:22.616Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bizreview/vulnerability/wordpress-bizreview-plugin-1-5-13-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress BizReview plugin <= 1.5.13 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13."}], "id": "CVE-2026-39606", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:29.890", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bizreview/vulnerability/wordpress-bizreview-plugin-1-5-13-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BizReview", "source": "cna", "vendor": "Foysal Imran"}, "product": "bizreview", "vendor": "foysal_imran"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:44:08.773329+00:00", "value": {"mitigation_remediation": ["Update the BizReview plugin to the newest available release that resolves the authorization issue. If no patch has been released, disable or uninstall the plugin until a fix is provided. Apply access restrictions to plugin URLs using server\u2011level rules or a security plugin to ensure only authenticated users can reach sensitive endpoints. Monitor access logs for anomalous activity and review user permissions to mitigate potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Foysal Imran BizReview plugin from the initial release through version 1.5.13. Any WordPress site that has installed these versions is potentially exposed, regardless of the WordPress core version. The plugin\u2019s publicly accessible endpoints are the likely points of exploitation.", "description_and_impact": "The BizReview WordPress plugin contains a missing authorization flaw that lets an attacker bypass required access controls. This broken access control can be used to view, add, edit, or delete review content and potentially manipulate other plugin data without proper user permissions, effectively compromising confidentiality and integrity of site content.", "risk_and_exploitability": "The flaw is a classic broken access control scenario (CWE\u2011862). While CVSS and EPSS metrics are not available, the impact is high because an attacker can gain privileged operations without authentication. The attack vector is inferred to be remote, via HTTP requests to plugin endpoints that should otherwise be secured. No official KEV listing is present, but the absence of a patch means the risk remains significant for all affected sites."}}}}, "created": "2026-04-08T19:29:54.456690+00:00", "updated": "2026-04-08T19:42:11.803011+00:00", "vendors": ["foysal_imran", "foysal_imran$PRODUCT$bizreview", "wordpress", "wordpress$PRODUCT$wordpress"]}