CVE-2026-22487
Description
Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Speed Kit plugin (≤2.0.2) allows unauthenticated attackers to exploit access control levels, leading to unauthorized actions.
The Speed Kit plugin for WordPress (versions up to and including 2.0.2) contains a missing authorization vulnerability. This flaw arises from insufficient access control checks on certain functions, allowing attackers to bypass intended security levels [1].
Attackers can exploit this vulnerability by sending specially crafted requests to vulnerable endpoints without requiring authentication. The attack surface includes any unauthenticated access points, making it possible to target a wide range of WordPress installations running the affected plugin [1].
Successful exploitation allows an unprivileged attacker to execute actions that should be restricted to higher-privileged users, such as administrators. This can lead to unauthorized data access, configuration changes, or further compromise of the WordPress site [1].
As an immediate mitigation, users are advised to update the Speed Kit plugin to a patched version. If an update is unavailable, consider disabling the plugin or implementing additional access controls via hosting or security measures [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.