Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects B2BKing: from n/a before 5.2.10.
AnalysisAI
Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.
Technical ContextAI
B2BKing is a WooCommerce-integrated wholesale/B2B plugin for WordPress developed by Kings Plugins, identified via CPE cpe:2.3:a:kings_plugins:b2bking:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where server-side code performs a sensitive operation without verifying that the requesting principal is authorized to do so. In the WordPress plugin ecosystem, this typically manifests as REST API endpoints, AJAX handlers, or admin actions that check authentication (confirming a user is logged in) but fail to verify authorization (confirming the user has the right role or capability to perform the specific action). The 'Exploiting Incorrectly Configured Access Control Security Levels' descriptor suggests B2BKing's layered B2B role/pricing tier system has at least one action where authorization enforcement is absent or bypassable.
RemediationAI
The vendor has released a patch; upgrade B2BKing to version 5.2.10 or later immediately. The fix was documented by Patchstack and can be confirmed via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b2bking-wholesale-for-woocommerce/vulnerability/wordpress-b2bking-wholesale-for-woocommerce-5-2-10-broken-access-control-vulnerability. If immediate upgrading is not possible, a compensating control is to restrict high-privileged B2BKing user accounts to only trusted personnel and audit existing high-privilege role assignments within the plugin's access control tier configuration - this limits the pool of principals who could exploit the missing authorization check, though it does not eliminate the vulnerability. Monitor WordPress admin audit logs for unexpected changes to B2BKing-managed pricing tiers, customer groups, or restricted content.
The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on
The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31757
GHSA-8x2q-39xh-589q