CVE-2026-24571

BOX NOW Delivery <= 3.0.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.2.0
Patched in
85d
Time to patch

Description

The BOX NOW Delivery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.2
PublishedJanuary 21, 2026
Last updatedApril 15, 2026
Affected pluginbox-now-delivery

What Changed in the Fix

Changes introduced in v3.2.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-24571 (BOX NOW Delivery) ## 1. Vulnerability Summary The **BOX NOW Delivery** plugin for WordPress (up to 3.0.2) contains a **Missing Authorization** vulnerability. The plugin implements settings management logic that is accessible via `admin-post.php` but fa…

Show full research plan

Vulnerability Research Plan: CVE-2026-24571 (BOX NOW Delivery)

1. Vulnerability Summary

The BOX NOW Delivery plugin for WordPress (up to 3.0.2) contains a Missing Authorization vulnerability. The plugin implements settings management logic that is accessible via admin-post.php but fails to perform an adequate capability check (e.g., current_user_can('manage_options')) within the processing logic. Consequently, any authenticated user with at least Subscriber privileges can modify critical plugin settings, including API credentials, warehouse IDs, and contact information.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-post.php
  • Action: boxnow-settings-save
  • Method: POST (URL-encoded)
  • Authentication: Required (Subscriber or higher)
  • Vulnerable Parameter: action, and various settings parameters (e.g., boxnow_partner_id, boxnow_client_id).
  • Preconditions: The plugin must be active and WooCommerce must be installed/active (as seen in box-now-delivery.php line 20).

3. Code Flow

  1. Entry Point: The main plugin file box-now-delivery.php includes includes/box-now-delivery-admin-page.php.
  2. Registration: includes/box-now-delivery-admin-page.php includes includes/box-now-delivery-validation.php (line 19).
  3. Trigger: The validation file likely hooks into admin_post_boxnow-settings-save (inferred from the form in box_now_delivery_options in box-now-delivery-admin-page.php, line 49).
  4. Processing: The handler for this action fails to verify if the user has the manage_options capability.
  5. Sink: The handler calls update_option() for various boxnow_* parameters provided in the $_POST request.

4. Nonce Acquisition Strategy

The form in box-now-delivery-admin-page.php uses

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.