Description
Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.
Published: 2026-01-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Update Plugin
AI Analysis

Impact

Missing authorization in the BOX NOW Delivery WordPress plugin enables users to bypass configured security levels, allowing them to perform privileged actions without authenticating. The flaw is a broken access control that grants unauthorized users access to functions normally restricted to administrators or editors, potentially exposing sensitive content or configuration data. Attackers can exploit this to modify delivery settings, view restricted content, or manipulate plugin behavior, thereby threatening the integrity and confidentiality of the website.

Affected Systems

All versions of the Box NOW Delivery WordPress plugin from the initial release through version 3.0.2 are impacted, meaning any WordPress site that has not upgraded past 3.0.2 exposes itself to this vulnerability.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability is considered low severity, and the EPSS score of less than 1% indicates a very low probability of exploitation under current conditions. The issue is not listed in the CISA KEV catalog. The CVE does not explicitly state an attack vector; based on the plugin’s nature and the description, it is inferred that the flaw could be accessed via standard HTTP requests to the plugin’s endpoints, implying a network-based attack through the web interface. Although no widespread exploitation has been reported, organizations that rely on this plugin should consider the moderate risk of unauthorized access to protected functions.

Generated by OpenCVE AI on April 16, 2026 at 07:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BOX NOW Delivery WordPress plugin to the latest released version, which includes the authorization fix.
  • Disable or restrict access to the plugin’s administrative pages using web‑server rules or firewall settings to expose only authenticated administrators.
  • Review and tighten the plugin’s configuration to ensure that no public or overly permissive access levels remain enabled, and implement additional authentication or IP filtering if necessary.

Generated by OpenCVE AI on April 16, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.
Title WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:19.451Z

Reserved: 2026-01-23T12:32:02.838Z

Link: CVE-2026-24571

cve-icon Vulnrichment

Updated: 2026-01-26T18:38:37.194Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:15.067

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses