Skip to main content

Bizreview CVE-2026-39606

| EUVDEUVD-2026-20238 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-vpjp-3jwf-79p7
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20238
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13.

AnalysisAI

Missing authorization in Foysal Imran BizReview WordPress plugin versions up to 1.5.13 allows unauthenticated remote attackers to modify data via incorrectly configured access control, bypassing intended permission restrictions. The CVSS score of 5.3 reflects low integrity impact with no confidentiality or availability compromise. EPSS probability is extremely low at 0.02%, and no public exploit code or active exploitation has been identified, suggesting this is a configuration-level authorization flaw rather than a critical remote code execution vulnerability.

Technical ContextAI

BizReview is a WordPress plugin that implements business review functionality. The vulnerability stems from CWE-862 (Missing Authorization), a category describing systems that fail to verify a user has permission to perform requested actions. In WordPress plugins, this typically manifests when access control checks are omitted from endpoints or functions that modify sensitive data, such as creating, updating, or deleting reviews and associated metadata. The CPE string cpe:2.3:a:foysal_imran:bizreview:*:*:*:*:*:*:*:* indicates the vulnerability affects all versions of the plugin up through 1.5.13. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) shows the flaw is remotely exploitable with no complexity or user interaction required, but only impacts data integrity (I:L) without code execution or availability impact.

RemediationAI

Update the BizReview plugin to a patched version released after 1.5.13 as soon as a fix is available from the vendor. Until a patched version is released, apply the following workarounds: (1) disable the BizReview plugin if it is not actively required; (2) restrict access to WordPress administrative functions and plugin settings to trusted users only; (3) implement additional server-level access controls or Web Application Firewall (WAF) rules to limit unauthorized modifications to review data; (4) monitor plugin activity logs for unexpected data changes or unauthorized review submissions. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bizreview/vulnerability/wordpress-bizreview-plugin-1-5-13-broken-access-control-vulnerability) and NVD entry for the latest patch availability and vendor communication.

Share

CVE-2026-39606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy