CVE-2026-15293

joeyoungblood · WP Business Intelligence Lite

The WP Business Intelligence Lite plugin for WordPress contains an authorization bypass vulnerability, allowing authenticated users with lower privileges to perform actions restricted to higher-level roles.

Executive summary

The WP Business Intelligence Lite plugin for WordPress is affected by an authorization bypass vulnerability, potentially allowing unauthorized access to restricted administrative functionality.

Vulnerability

This is a Missing Authorization vulnerability (CWE-862). The vulnerability resides in the plugin's Admin/Menu/Query.php and Loader.php files, where it fails to properly verify the user's capability before executing sensitive administrative functions.

Business impact

An attacker with minimal privileges could exploit this flaw to access or manipulate business intelligence data, potentially leading to unauthorized information disclosure or system configuration changes. Given the CVSS score of 8.0, this vulnerability presents a significant risk to the confidentiality and integrity of the business data managed within the WordPress instance.

Remediation

Immediate Action: Update the WP Business Intelligence Lite plugin to the latest version immediately to resolve the missing authorization checks.

Proactive Monitoring: Monitor WordPress audit logs for unexpected access to business intelligence query menus or settings by users who should not have such permissions.

Compensating Controls: Implement strict role-based access control (RBAC) and restrict access to the WordPress dashboard to trusted IP addresses where possible.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This authorization bypass requires immediate attention to prevent unauthorized access to sensitive business data. All administrators should verify their plugin versions and apply the patch as soon as it is made available by the vendor.