{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22487", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.294Z", "datePublished": "2026-01-08T16:37:41.558Z", "dateUpdated": "2026-04-28T16:14:45.585Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "baqend", "product": "Speed Kit", "vendor": "baqend", "versions": [{"lessThanOrEqual": "2.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:03.147Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Speed Kit: from n/a through <= 2.0.2.</p>"}], "value": "Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.585Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Speed Kit plugin <= 2.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T17:05:50.152086Z", "id": "CVE-2026-22487", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:58:46.456Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22487", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T17:05:50.152086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T17:06:18.435Z"}}], "cna": {"title": "WordPress Speed Kit plugin <= 2.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "baqend", "product": "Speed Kit", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.2"}], "packageName": "baqend", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:50.063Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Speed Kit: from n/a through <= 2.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22487", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:58:46.456Z", "dateReserved": "2026-01-07T13:44:23.294Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T16:37:41.558Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en baqend Speed Kit permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Speed Kit: desde n/a hasta 2.0.2."}], "id": "CVE-2026-22487", "lastModified": "2026-04-23T15:36:34.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:50.923", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/baqend/vulnerability/wordpress-speed-kit-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:13:45.635980+00:00", "value": {"mitigation_remediation": ["Upgrade the Speed Kit plugin to a version newer than 2.0.2. ", "If an immediate upgrade is not feasible, disable or remove the plugin entirely from the WordPress installation. ", "Audit the WordPress installation for any other plugins or custom code that may rely on the same access control model and apply similar access restrictions or harden the configuration to enforce proper authorization checks."], "summary": {"action": "Upgrade", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All installations of the baqend Speed Kit plugin for WordPress from the earliest available version through version 2.0.2 are affected. The impact applies regardless of the site\u2019s user base, meaning any site that has installed the plugin without updating to a newer release is at risk.", "description_and_impact": "The vulnerability is a missing authorization flaw that allows an attacker to bypass the intended access controls in the Speed Kit plugin for WordPress. The flaw stems from incorrectly configured security levels, enabling an attacker to reach endpoints or configuration interfaces that should be restricted to privileged users. This vulnerability is classified as CWE-862, indicating a failure to enforce access control restrictions.", "risk_and_exploitability": "The EPSS score is below 1 percent, and the vulnerability has not been listed in CISA KEV, suggesting that current exploitation activity is low but not impossible. The attack likely requires the ability to send crafted requests to the vulnerable plugin endpoints, and the exact prerequisite authentication state is not explicitly documented, which implies that the flaw may be exploitable from unauthenticated or minimally privileged contexts. Attackers could gain unauthorized access to configuration information or administrative controls, potentially leading to further compromises of the WordPress site. The CVSS score of 4.3 indicates a moderate risk."}}}}, "created": "2026-01-09T13:24:32.253675+00:00", "updated": "2026-04-28T18:15:37.375738+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}