{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24571", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:02.838Z", "datePublished": "2026-01-23T14:28:56.952Z", "dateUpdated": "2026-04-28T16:14:49.711Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "box-now-delivery", "product": "BOX NOW Delivery", "vendor": "boxnow", "versions": [{"changes": [{"at": "3.2.0", "status": "unaffected"}], "lessThanOrEqual": "3.0.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:55.135Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.</p>"}], "value": "Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.711Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:38:40.280515Z", "id": "CVE-2026-24571", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:29:38.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24571", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:38:40.280515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:38:37.194Z"}}], "cna": {"title": "WordPress BOX NOW Delivery plugin <= 3.0.2 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "boxnow", "product": "BOX NOW Delivery", "versions": [{"status": "affected", "changes": [{"at": "3.2.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.0.2"}], "packageName": "box-now-delivery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:55.135Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24571", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:29:38.663Z", "dateReserved": "2026-01-23T12:32:02.838Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:56.952Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en boxnow BOX NOW Delivery box-now-delivery permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a BOX NOW Delivery: desde n/a hasta &lt;= 3.0.2."}], "id": "CVE-2026-24571", "lastModified": "2026-04-28T15:16:15.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:15.067", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:27:47.583468+00:00", "value": {"mitigation_remediation": ["Upgrade the BOX NOW Delivery WordPress plugin to the latest released version, which includes the authorization fix.", "Disable or restrict access to the plugin\u2019s administrative pages using web\u2011server rules or firewall settings to expose only authenticated administrators.", "Review and tighten the plugin\u2019s configuration to ensure that no public or overly permissive access levels remain enabled, and implement additional authentication or IP filtering if necessary."], "summary": {"action": "Update Plugin", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "All versions of the Box NOW Delivery WordPress plugin from the initial release through version 3.0.2 are impacted, meaning any WordPress site that has not upgraded past 3.0.2 exposes itself to this vulnerability.", "description_and_impact": "Missing authorization in the BOX NOW Delivery WordPress plugin enables users to bypass configured security levels, allowing them to perform privileged actions without authenticating. The flaw is a broken access control that grants unauthorized users access to functions normally restricted to administrators or editors, potentially exposing sensitive content or configuration data. Attackers can exploit this to modify delivery settings, view restricted content, or manipulate plugin behavior, thereby threatening the integrity and confidentiality of the website.", "risk_and_exploitability": "With a CVSS score of 4.3, the vulnerability is considered low severity, and the EPSS score of less than 1% indicates a very low probability of exploitation under current conditions. The issue is not listed in the CISA KEV catalog. The CVE does not explicitly state an attack vector; based on the plugin\u2019s nature and the description, it is inferred that the flaw could be accessed via standard HTTP requests to the plugin\u2019s endpoints, implying a network-based attack through the web interface. Although no widespread exploitation has been reported, organizations that rely on this plugin should consider the moderate risk of unauthorized access to protected functions."}}}}, "created": "2026-01-26T11:53:38.867522+00:00", "updated": "2026-04-16T07:30:28.608087+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}