CVE-2026-27346

Vulnerability

The B2BKing plugin for WordPress (versions before 5.2.10) contains a Missing Authorization vulnerability. This is a broken access control issue where the plugin fails to properly check authorization, authentication, or nonce tokens in certain functions, allowing an unprivileged user to execute actions normally reserved for higher-privileged roles.

Exploitation

An attacker must be an unauthenticated or low-privileged user (e.g., subscriber) and needs network access to the WordPress site. By crafting specific requests to the vulnerable functions that lack the required authorization checks, an attacker can trigger actions that should require higher privileges.

Impact

Successful exploitation permits an attacker to perform unauthorized actions, potentially including accessing sensitive data or modifying settings, leading to a compromise of confidentiality or integrity. The vulnerability is rated with low severity and is unlikely to be actively exploited in the wild, but it could be used in mass-exploit campaigns.

Mitigation

The issue is fixed in B2BKing version 5.2.10, released by May 2026. Users should update to 5.2.10 or later immediately. Patchstack users can enable auto-update for vulnerable plugins. If immediate update is not possible, consult your hosting provider or web developer for assistance.

[1]