CVE-2026-22488

The Dashboard Welcome for Beaver Builder plugin for WordPress, versions 1.0.8 and earlier, contains a missing authorization vulnerability [1]. The plugin fails to properly verify access control security levels, meaning that functions intended for higher-privileged users may not have adequate permission checks [1]. This oversight is classified as a broken access control issue [1].

Exploitation of this vulnerability does not require authentication, as the missing authorization check allows any user, including unauthenticated visitors, to access privileged functions [1]. The attack surface is the WordPress admin dashboard area affected by the plugin, and no special network position is needed; the vulnerability can be triggered via a standard HTTP request [1].

An attacker successfully exploiting this flaw could perform actions that should be restricted to administrators, such as modifying settings or accessing sensitive information [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site size or popularity [1].

As of the publication date (January 8, 2026), the vendor has not released a patched version beyond 1.0.8, leaving all installations at risk [1]. The immediate recommended action is to update the plugin if a security update becomes available [1]. If unable to update, users should consult their hosting provider or a web developer for assistance [1].