CVE-2026-22481
Published: 22 January 2026
Summary
CVE-2026-22481 is a medium-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-22481 is a Missing Authorization vulnerability (CWE-862) in the WordPress plugin BD Courier Order Ratio Checker developed by Rasedul Haque Rumi. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions of the plugin from n/a through 2.0.1. It has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating moderate severity with low integrity impact but no confidentiality or availability effects.
The vulnerability can be exploited by low-privileged users (PR:L) over the network with low attack complexity and no user interaction required. Attackers with such access can leverage the broken access control to perform unauthorized actions, resulting in limited integrity impacts such as unintended data modification within the plugin's scope.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve provides details on the broken access control issue in version 2.0.1 and earlier of the WordPress BD Courier Order Ratio Checker plugin. Security practitioners should update to a patched version if available or review access controls in affected installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3853
Vulnerability details
Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote exploitation by authenticated low-privileged users over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks to block the unauthorized actions permitted by the missing access control logic in the plugin.
Limits privileges of low-privileged users so they cannot reach or exploit the incorrectly configured access control entry points.
Requires timely patching or removal of the vulnerable BD Courier Order Ratio Checker plugin versions that contain the broken authorization code.