Description
Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2.
Published: 2026-02-20
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress AIO WP Builder contains a missing authorization flaw that lets attackers exploit incorrectly configured access control security levels. When leveraged, the vulnerability permits access to privileged plugin functions that should be restricted, potentially allowing an attacker to modify site content, change settings, or gain further control over the underlying WordPress environment, compromising confidentiality, integrity, and availability of the site. The weakness is classified as CWE‑862.

Affected Systems

Endpoint vendor staviravn offers the AIO WP Builder plugin for WordPress. All releases from the initial version up to and including 2.0.2 are affected. The vulnerability does not apply to versions 2.0.3 and higher.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity level. The EPSS score is below 1%, implying that current exploitation activity is minimal. The flaw is not listed in the CISA KEV catalog. Attackers are likely to exploit the weakness by authenticating to a WordPress site (or using an existing attacker-controlled user), then accessing the vulnerable plugin’s administrative pages that are not properly protected. In the absence of a publicly available exploit, the risk remains theoretical but the high CVSS warrants cautious mitigation.

Generated by OpenCVE AI on April 30, 2026 at 04:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AIO WP Builder to version 2.0.3 or later to remove the authentication bypass.
  • If upgrading immediately is not possible, restrict access to the plugin’s admin URLs to administrator users only and monitor for unauthorized access attempts.
  • Continuously monitor site logs and audit plugin settings for unexpected changes to detect potential exploitation early.

Generated by OpenCVE AI on April 30, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Staviravn
Staviravn aio Wp Builder
Wordpress
Wordpress wordpress
Vendors & Products Staviravn
Staviravn aio Wp Builder
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2.
Title WordPress AIO WP Builder Plugin <= 2.0.2 - Broken Access Control Vulnerability
Weaknesses CWE-862
References

Subscriptions

Staviravn Aio Wp Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:20.862Z

Reserved: 2025-06-27T10:27:53.889Z

Link: CVE-2025-53217

cve-icon Vulnrichment

Updated: 2026-02-26T18:51:38.148Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:01.647

Modified: 2026-04-27T17:16:27.603

Link: CVE-2025-53217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses