Skip to main content

B2BKing EUVDEUVD-2026-31757

| CVE-2026-27346 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-8x2q-39xh-589q
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:49 vuln.today
Patch available
May 26, 2026 - 14:01 EUVD

DescriptionCVE.org

Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects B2BKing: from n/a before 5.2.10.

AnalysisAI

Missing authorization controls in the B2BKing WordPress plugin (versions prior to 5.2.10) allow authenticated high-privileged attackers to exploit incorrectly configured access control security levels, resulting in unauthorized data or configuration modification (high integrity impact). No confidentiality or availability impact is indicated by the CVSS vector. No public exploit identified at time of analysis, and CISA SSVC rates exploitation as none with partial technical impact, suggesting limited real-world threat at this time.

Technical ContextAI

B2BKing is a WooCommerce-integrated wholesale/B2B plugin for WordPress developed by Kings Plugins, identified via CPE cpe:2.3:a:kings_plugins:b2bking:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of vulnerability where server-side code performs a sensitive operation without verifying that the requesting principal is authorized to do so. In the WordPress plugin ecosystem, this typically manifests as REST API endpoints, AJAX handlers, or admin actions that check authentication (confirming a user is logged in) but fail to verify authorization (confirming the user has the right role or capability to perform the specific action). The 'Exploiting Incorrectly Configured Access Control Security Levels' descriptor suggests B2BKing's layered B2B role/pricing tier system has at least one action where authorization enforcement is absent or bypassable.

RemediationAI

The vendor has released a patch; upgrade B2BKing to version 5.2.10 or later immediately. The fix was documented by Patchstack and can be confirmed via the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b2bking-wholesale-for-woocommerce/vulnerability/wordpress-b2bking-wholesale-for-woocommerce-5-2-10-broken-access-control-vulnerability. If immediate upgrading is not possible, a compensating control is to restrict high-privileged B2BKing user accounts to only trusted personnel and audit existing high-privilege role assignments within the plugin's access control tier configuration - this limits the pool of principals who could exploit the missing authorization check, though it does not eliminate the vulnerability. Monitor WordPress admin audit logs for unexpected changes to B2BKing-managed pricing tiers, customer groups, or restricted content.

Share

EUVD-2026-31757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy