Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13.
AnalysisAI
Missing authorization in Foysal Imran BizReview WordPress plugin versions up to 1.5.13 allows unauthenticated remote attackers to modify data via incorrectly configured access control, bypassing intended permission restrictions. The CVSS score of 5.3 reflects low integrity impact with no confidentiality or availability compromise. EPSS probability is extremely low at 0.02%, and no public exploit code or active exploitation has been identified, suggesting this is a configuration-level authorization flaw rather than a critical remote code execution vulnerability.
Technical ContextAI
BizReview is a WordPress plugin that implements business review functionality. The vulnerability stems from CWE-862 (Missing Authorization), a category describing systems that fail to verify a user has permission to perform requested actions. In WordPress plugins, this typically manifests when access control checks are omitted from endpoints or functions that modify sensitive data, such as creating, updating, or deleting reviews and associated metadata. The CPE string cpe:2.3:a:foysal_imran:bizreview:*:*:*:*:*:*:*:* indicates the vulnerability affects all versions of the plugin up through 1.5.13. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) shows the flaw is remotely exploitable with no complexity or user interaction required, but only impacts data integrity (I:L) without code execution or availability impact.
RemediationAI
Update the BizReview plugin to a patched version released after 1.5.13 as soon as a fix is available from the vendor. Until a patched version is released, apply the following workarounds: (1) disable the BizReview plugin if it is not actively required; (2) restrict access to WordPress administrative functions and plugin settings to trusted users only; (3) implement additional server-level access controls or Web Application Firewall (WAF) rules to limit unauthorized modifications to review data; (4) monitor plugin activity logs for unexpected data changes or unauthorized review submissions. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/bizreview/vulnerability/wordpress-bizreview-plugin-1-5-13-broken-access-control-vulnerability) and NVD entry for the latest patch availability and vendor communication.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20238
GHSA-vpjp-3jwf-79p7