PatchSiren cyber security CVE debrief
CVE-2026-27346 Kings Plugins CVE debrief
A Missing Authorization vulnerability in the B2BKing WordPress plugin allows authenticated attackers with high privileges to exploit incorrectly configured access control security levels. The vulnerability affects all versions before 5.2.10 and was assigned a CVSS 3.1 score of 4.9 (Medium severity). The issue stems from broken access control mechanisms (CWE-862) that could enable unauthorized actions despite the attacker already possessing elevated privileges. The CVE was published on May 25, 2026, with a subsequent modification on May 26, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Kings Plugins
- Product
- B2BKing
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running B2BKing plugin versions below 5.2.10 for WooCommerce, particularly those with multiple high-privilege users or concerns about insider threats and privilege escalation within administrative roles.
Technical summary
The B2BKing plugin for WooCommerce contains a Missing Authorization vulnerability (CWE-862) in versions prior to 5.2.10. The vulnerability allows attackers with high-level privileges to bypass intended access controls, potentially leading to unauthorized integrity modifications. The attack requires network access and low complexity but is limited by the prerequisite of high-privilege account compromise. The CVSS 3.1 score of 4.9 reflects the localized impact given the elevated privileges already required for exploitation.
Defensive priority
medium
Recommended defensive actions
- Update B2BKing plugin to version 5.2.10 or later
- Review user role permissions and access control configurations
- Audit administrative actions for unauthorized changes
- Monitor for unusual activity from high-privilege accounts
- Verify plugin update was applied successfully
Evidence notes
The vulnerability is classified as CWE-862 (Missing Authorization) with a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The NVD entry status is currently 'Deferred'.
Official resources
-
CVE-2026-27346 CVE record
CVE.org
-
CVE-2026-27346 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The vulnerability was disclosed through Patchstack and subsequently entered into the National Vulnerability Database. The vendor, Kings Plugins, has released version 5.2.10 to address this issue.