CVE-2026-22487 - Vulnerability Details

- WordPress Speed Kit plugin <= 2.0.2 - Broken Access Control vulnerability

Description

Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2.

Published: 2026-01-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access controls in the Speed Kit plugin for WordPress. The flaw stems from incorrectly configured security levels, enabling an attacker to reach endpoints or configuration interfaces that should be restricted to privileged users. This vulnerability is classified as CWE-862, indicating a failure to enforce access control restrictions.

Affected Systems

All installations of the baqend Speed Kit plugin for WordPress from the earliest available version through version 2.0.2 are affected. The impact applies regardless of the site’s user base, meaning any site that has installed the plugin without updating to a newer release is at risk.

Risk and Exploitability

The EPSS score is below 1 percent, and the vulnerability has not been listed in CISA KEV, suggesting that current exploitation activity is low but not impossible. The attack likely requires the ability to send crafted requests to the vulnerable plugin endpoints, and the exact prerequisite authentication state is not explicitly documented, which implies that the flaw may be exploitable from unauthenticated or minimally privileged contexts. Attackers could gain unauthorized access to configuration information or administrative controls, potentially leading to further compromises of the WordPress site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

baqend

Speed Kit

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.2

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Speed Kit plugin to a version newer than 2.0.2.
If an immediate upgrade is not feasible, disable or remove the plugin entirely from the WordPress installation.
Audit the WordPress installation for any other plugins or custom code that may rely on the same access control model and apply similar access restrictions or harden the configuration to enforce proper authorization checks.

Generated by OpenCVE AI on April 16, 2026 at 08:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.	Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2.
References	https://patchstack.com/database/wordpress/plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.
Title		WordPress Speed Kit plugin <= 2.0.2 - Broken Access Control vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-01-08T16:37:41.558Z

Updated: 2026-04-01T18:29:28.402Z

Reserved: 2026-01-07T13:44:23.294Z

Link: CVE-2026-22487

Vulnrichment

Updated: 2026-01-08T17:06:18.435Z

NVD

Status : Deferred

Published: 2026-01-08T17:15:50.923

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22487

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T08:45:26Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object