Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in raratheme Business One Page business-one-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business One Page: from n/a through <= 1.3.2.
AnalysisAI
Business One Page up to version 1.3.2 contains an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data due to improperly configured access controls. An attacker can exploit this weakness to alter sensitive information without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability resides in the raratheme Business One Page WordPress plugin (CPE: cpe:2.3:a:raratheme:business-one-page), a one-page business website theme/plugin for WordPress. The root cause is classified under CWE-862 (Missing Authorization), which indicates that the application fails to perform proper authorization checks before allowing access to sensitive operations. The plugin appears to expose administrative or data-modifying functionality without verifying user roles, capabilities, or session tokens. This is a common WordPress vulnerability pattern where REST API endpoints, admin-ajax.php handlers, or theme functions lack proper nonce validation and capability checks, allowing any anonymous request to trigger state changes.
RemediationAI
Immediately upgrade the raratheme Business One Page plugin to a version later than 1.3.2; consult the WordPress plugin repository or raratheme's official website for the latest stable release and changelog confirmation. Until a patch is deployed, implement the following mitigations: restrict WordPress admin and plugin access via IP whitelisting or VPN to trusted networks only, apply a Web Application Firewall (WAF) rule to block unauthorized POST/PUT requests to plugin endpoints, enable WordPress security headers and ensure all user accounts use strong passwords with two-factor authentication, and audit recent database and file modifications for signs of compromise. Additionally, consider temporarily disabling the plugin if it is not actively required for core business operations.
More in Business One Page
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11822