CVE-2026-23804
Missing Authorization in Better Business Reviews Plugin Allows Unauthorized Access
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| better_business_reviews | better_business_reviews | From 0.1.1 (inc) |
| better_business_reviews | better_business_reviews | to 0.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23804 is a broken access control vulnerability in the WordPress Better Business Reviews plugin versions 0.1.1 and earlier.
This issue arises from missing authorization, authentication, or nonce token checks in certain functions, allowing unprivileged users to perform actions reserved for higher-privileged roles.
The vulnerability is classified under the OWASP Top 10 category A1: Broken Access Control.
How can this vulnerability impact me? :
Because of missing authorization checks, unprivileged users such as subscribers or developers can perform actions that should be restricted to higher-privileged roles.
This can lead to unauthorized access or modification of data or settings within the Better Business Reviews plugin.
The CVSS score of 5.4 indicates a low severity impact and a low priority for exploitation, but it still poses a security risk if left unpatched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the Better Business Reviews plugin versions 0.1.1 and earlier, allowing unprivileged users to perform actions reserved for higher-privileged roles.
Detection would involve checking the plugin version installed on your WordPress system and verifying if it is version 0.1.1 or earlier.
You can use the following command to check the plugin version via WP-CLI:
- wp plugin list --status=active
Look for the Better Business Reviews plugin and verify its version. If it is 0.1.1 or earlier, the system is vulnerable.
Additionally, monitoring logs for unauthorized actions performed by subscriber or developer roles could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to update the Better Business Reviews plugin to version 0.1.2 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Using automated update tools such as Patchstack can provide rapid protection by automatically updating vulnerable plugins.'}, {'type': 'paragraph', 'content': "Until the update is applied, restrict access to the plugin's functions by limiting user roles or permissions, especially for subscriber or developer roles, to reduce the risk of exploitation."}] [1]