Description
Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through <= 1.0.7.
Published: 2025-04-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in Iqonic Design WPBookit 1.0.7 allows users without proper permissions to call privileged functions. This broken access control can let an attacker view or modify data that should be protected, exposing sensitive information and potentially enabling further attacks. The vulnerability corresponds to CWE‑862 – Missing Authorization.

Affected Systems

Sites running Iqonic Design's WPBookit plugin version 1.0.7 or earlier on WordPress. The plugin is available in the free WordPress plugin repository and the issue affects all releases from the first version up through 1.0.7. Any WordPress installation that has not updated beyond this version is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of analysis. The flaw can be exploited through the web interface, targeting exposed plugin endpoints that lack proper ACL checks. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation.

Generated by OpenCVE AI on May 1, 2026 at 00:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPBookit to the latest released version that fixes the access control issue.
  • Configure WordPress to restrict the plugin’s admin pages so only users with the administrator role can access them.
  • If an upgrade cannot be performed immediately, review the plugin’s configuration options and remove or limit any exposed endpoints that allow privileged actions.

Generated by OpenCVE AI on May 1, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9797 Missing Authorization vulnerability in Iqonic Design WPBookit allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WPBookit: from n/a through 1.0.1.
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Iqonic Design WPBookit allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WPBookit: from n/a through 1.0.1. Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through <= 1.0.7.
Title WordPress WPBookit plugin <= 1.0.1 - Broken Access Control vulnerability WordPress WPBookit plugin <= 1.0.7 - Broken Access Control vulnerability
References

Fri, 27 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:* cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Iqonic
Iqonic wpbookit

Mon, 09 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit

Fri, 04 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Iqonic Design WPBookit allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WPBookit: from n/a through 1.0.1.
Title WordPress WPBookit plugin <= 1.0.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Iqonic Wpbookit
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.925Z

Reserved: 2025-04-04T10:02:14.481Z

Link: CVE-2025-32254

cve-icon Vulnrichment

Updated: 2025-04-04T18:56:28.782Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:34.887

Modified: 2026-04-23T15:28:50.670

Link: CVE-2025-32254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses