Cyber Resilience

CVE-2026-22481

Medium

Published: 22 January 2026

Published
22 January 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0019 8.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22481 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-22481 is a Missing Authorization vulnerability (CWE-862) in the WordPress plugin BD Courier Order Ratio Checker developed by Rasedul Haque Rumi. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions of the plugin from n/a through 2.0.1. It has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating moderate severity with low integrity impact but no confidentiality or availability effects.

The vulnerability can be exploited by low-privileged users (PR:L) over the network with low attack complexity and no user interaction required. Attackers with such access can leverage the broken access control to perform unauthorized actions, resulting in limited integrity impacts such as unintended data modification within the plugin's scope.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in version 2.0.1 and earlier of the WordPress BD Courier Order Ratio Checker plugin. Security practitioners should update to a patched version if available or review access controls in affected installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote exploitation by authenticated low-privileged users over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks to block the unauthorized actions permitted by the missing access control logic in the plugin.

prevent

Limits privileges of low-privileged users so they cannot reach or exploit the incorrectly configured access control entry points.

prevent

Requires timely patching or removal of the vulnerable BD Courier Order Ratio Checker plugin versions that contain the broken authorization code.

References