{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22488", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.294Z", "datePublished": "2026-01-08T16:35:04.136Z", "dateUpdated": "2026-04-28T16:14:46.240Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "dashboard-welcome-for-beaver-builder", "product": "Dashboard Welcome for Beaver Builder", "vendor": "IdeaBox Creations", "versions": [{"lessThanOrEqual": "1.0.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:03.438Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Dashboard Welcome for Beaver Builder: from n/a through <= 1.0.8.</p>"}], "value": "Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through <= 1.0.8."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.240Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Dashboard Welcome for Beaver Builder plugin <= 1.0.8 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T16:53:43.190472Z", "id": "CVE-2026-22488", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:54:05.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T16:53:43.190472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:53:58.447Z"}}], "cna": {"title": "WordPress Dashboard Welcome for Beaver Builder plugin <= 1.0.8 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IdeaBox Creations", "product": "Dashboard Welcome for Beaver Builder", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.8"}], "packageName": "dashboard-welcome-for-beaver-builder", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:50.594Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through <= 1.0.8.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Dashboard Welcome for Beaver Builder: from n/a through <= 1.0.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.122Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22488", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:03.122Z", "dateReserved": "2026-01-07T13:44:23.294Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T16:35:04.136Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder dashboard-welcome-for-beaver-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through <= 1.0.8."}, {"lang": "es", "value": "Vulnerabilidad de Falta de Autorizaci\u00f3n en IdeaBox Creations Dashboard Welcome for Beaver Builder permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Dashboard Welcome for Beaver Builder: desde n/a hasta 1.0.8."}], "id": "CVE-2026-22488", "lastModified": "2026-04-23T15:36:34.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:51.070", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/dashboard-welcome-for-beaver-builder/vulnerability/wordpress-dashboard-welcome-for-beaver-builder-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:13:57.090029+00:00", "value": {"mitigation_remediation": ["Upgrade Dashboard Welcome for Beaver Builder to version 1.0.9 or later, which contains the authorization fix.", "After updating, verify that only administrators have access to the plugin\u2019s dashboard through the WordPress role management settings.", "If an upgrade is not immediately possible, temporarily disable the plugin\u2019s front\u2011end pages or restrict its access to the admin area until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The issue affects the IdeaBox Creations Dashboard Welcome for Beaver Builder plugin versions up to and including 1.0.8. Any WordPress installation that has this plugin installed and has not been updated to a newer release is vulnerable.", "description_and_impact": "The vulnerability is a missing authorization flaw (CWE\u2011862) in the WordPress plugin Dashboard Welcome for Beaver Builder. Legitimate users who are logged into the site can reach plugin\u2011related pages that are intended for administrators only, potentially exposing or modifying site content without proper permission checks. This flaw does not directly grant code execution but can lead to unauthorized data access or configuration changes.", "risk_and_exploitability": "The EPSS score is below 1\u202f%, indicating a very low likelihood of exploitation at present, and the flaw is not listed in the CISA KEV catalog. The CVSS score of 5.3 indicates a moderate severity rating. However, because the flaw allows lower\u2011privilege users to view or modify protected plugin content, the potential impact on confidentiality and availability remains significant. An attacker would first need to authenticate to the site and then request a plugin page; the lack of authorization checks would allow access to administrative features."}}}}, "created": "2026-01-09T13:24:29.437385+00:00", "updated": "2026-04-28T18:15:37.376547+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}