CVE-2026-15293
joeyoungblood · WP Business Intelligence Lite
The WP Business Intelligence Lite plugin for WordPress contains an authorization bypass vulnerability, allowing authenticated users with lower privileges to perform actions restricted to higher-level roles.
Executive summary
The WP Business Intelligence Lite plugin for WordPress is affected by an authorization bypass vulnerability, potentially allowing unauthorized access to restricted administrative functionality.
Vulnerability
This is a Missing Authorization vulnerability (CWE-862). The vulnerability resides in the plugin's Admin/Menu/Query.php and Loader.php files, where it fails to properly verify the user's capability before executing sensitive administrative functions.
Business impact
An attacker with minimal privileges could exploit this flaw to access or manipulate business intelligence data, potentially leading to unauthorized information disclosure or system configuration changes. Given the CVSS score of 8.0, this vulnerability presents a significant risk to the confidentiality and integrity of the business data managed within the WordPress instance.
Remediation
Immediate Action: Update the WP Business Intelligence Lite plugin to the latest version immediately to resolve the missing authorization checks.
Proactive Monitoring: Monitor WordPress audit logs for unexpected access to business intelligence query menus or settings by users who should not have such permissions.
Compensating Controls: Implement strict role-based access control (RBAC) and restrict access to the WordPress dashboard to trusted IP addresses where possible.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This authorization bypass requires immediate attention to prevent unauthorized access to sensitive business data. All administrators should verify their plugin versions and apply the patch as soon as it is made available by the vendor.