Description
Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1.
Published: 2026-02-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to Better Business Reviews features
Action: Immediate patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows an attacker to access and manipulate the Better Business Reviews plugin without proper permissions. This was identified as CWE‑862, indicating a lack of access control checks. An attacker who reaches the affected functionality could read, edit, or delete review data, potentially compromising the integrity and confidentiality of business review information stored in the WordPress database.

Affected Systems

All installations of BBR Plugins Better Business Reviews up to and including version 0.1.1 are vulnerable. The issue applies to every site that has deployed this plugin version, without regard to additional configuration or external controls.

Risk and Exploitability

The CVSS score of 5.4 places the issue in the medium severity range, and the EPSS score of less than 1% suggests that widespread exploitation is currently uncommon. Because the vulnerability is accessed via the plugin’s web interface, any publicly reachable WordPress site that has not been patched can be exploited by an unauthenticated actor. The plugin’s functionality is not restricted by any external authentication layer, so the attack surface is relatively high. Even though the exploit probability is low, the potential impact to business review data warrants prompt attention.

Generated by OpenCVE AI on April 16, 2026 at 06:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Better Business Reviews plugin to version 0.1.2 or later.
  • If the update is not yet available, remove or disable the plugin entirely from the site.
  • As an interim measure, restrict access to the plugin’s administrative URLs using a web‑server rule (e.g., .htaccess) or a security plugin that limits access to collaborators only.

Generated by OpenCVE AI on April 16, 2026 at 06:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bbr Plugins
Bbr Plugins better Business Reviews
Wordpress
Wordpress wordpress
Vendors & Products Bbr Plugins
Bbr Plugins better Business Reviews
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1.
Title WordPress Better Business Reviews plugin <= 0.1.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Bbr Plugins Better Business Reviews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:47.286Z

Reserved: 2026-01-16T14:15:17.505Z

Link: CVE-2026-23804

cve-icon Vulnrichment

Updated: 2026-02-19T21:20:11.516Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:13.217

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses