What the vulnerability does
01Description
Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through <= 1.1.4.
Explanation of Vulnerability in Simple Terms
02Summary
Business Roy through version 1.1.4 contains an authorization bypass that allows authenticated users to modify data they should not have access to. The vulnerability stems from missing permission checks on certain operations. An attacker with a low-privilege account can alter content or settings without proper authorization. Update to a version newer than 1.1.4 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify data or settings without proper authorization using a low-privilege account.
Potential impact on your site
04Site Impact
Unauthorized users can alter site content, settings, or data they should not have access to.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated