CVE-2023-3126

MEDIUM

B2BKing < 4.6.00 - Authenticated Unauthorized Data Access via b2bkingdownloadpricelist Function

Title source: llm
STIX 2.1

Description

The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'b2bkingdownloadpricelist' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to retrieve the full pricing list of all products on the site.

Scores

CVSS v3 4.3
EPSS 0.0069
EPSS Percentile 48.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
webwizards/b2bking < 4.6.00
webwizardsdev/B2BKing — Ultimate WooCommerce B2B and Wholesale Plugin — Wholesale Prices, Bulk Order Form & More < 4.6.00
Published Jun 07, 2023
Tracked Since Feb 18, 2026