{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22481", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-01-22T16:52:41.710Z", "dateUpdated": "2026-04-28T17:19:10.174Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bd-courier-order-ratio-checker", "product": "BD Courier Order Ratio Checker", "vendor": "Rasedul Haque Rumi", "versions": [{"lessThanOrEqual": "2.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:02.662Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.</p>"}], "value": "Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.640Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress BD Courier Order Ratio Checker plugin <= 2.0.1 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:20:50.071200Z", "id": "CVE-2026-22481", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:19:10.174Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22481", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T21:20:50.071200Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:20:11.251Z"}}], "cna": {"title": "WordPress BD Courier Order Ratio Checker plugin <= 2.0.1 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rasedul Haque Rumi", "product": "BD Courier Order Ratio Checker", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.1"}], "packageName": "bd-courier-order-ratio-checker", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:02.662Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.105Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22481", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:27:42.122Z", "dateReserved": "2026-01-07T13:44:16.751Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:41.710Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1."}, {"lang": "es", "value": "Vulnerabilidad de falta de autorizaci\u00f3n en Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a BD Courier Order Ratio Checker: desde n/a hasta &lt;= 2.0.1."}], "id": "CVE-2026-22481", "lastModified": "2026-04-28T19:36:40.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:36.013", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:03:06.725945+00:00", "value": {"mitigation_remediation": ["Update the BD Courier Order Ratio Checker plugin to version 2.0.2 or later to eliminate the missing authorization checks.", "Configure WordPress role permissions or apply a role\u2011management plugin to restrict access to the plugin\u2019s administrative interface to authorized users only.", "Audit the site\u2019s database and configuration to detect any unauthorized changes that may have been made through the compromised plugin functions."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized access to protected plugin data and functionality"}, "threat_synthesis": {"affected_systems": "WordPress sites running the BD Courier Order Ratio Checker plugin by Rasedul Haque Rumi, versions n/a through 2.0.1.", "description_and_impact": "The BD Courier Order Ratio Checker plugin for WordPress contains missing authorization checks that result in broken access control. Attackers can exploit this flaw to access administrative features or sensitive order data that should be restricted to privileged users. The weakness corresponds to CWE\u2011862, indicating a failure in enforcing proper permission checks.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating moderate severity, but the EPSS score is under 1%, meaning the likelihood of exploitation is low at present. The plugin is a web\u2011based component, so the likely attack vector is remote over HTTP/HTTPS, though an attacker requires only the ability to reach the WordPress installation without privileged access. The plugin is not listed in CISA\u2019s KEV catalog."}}}}, "created": "2026-01-23T16:28:32.191380+00:00", "updated": "2026-04-28T18:15:37.355765+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}