Description
The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit_profile_data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account.
Published: 2025-05-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege escalation via account takeover
Action: Immediate Patch
AI Analysis

Impact

The WPBookit WordPress plugin up to version 1.0.2 contains an insecure direct object reference that allows an unauthenticated attacker to influence the edit_profile_data() routine. Because the plugin fails to verify the identity of the requesting user before applying changes to a profile, an attacker can modify any user’s email address or password, including those of administrators. This flaw enables full account takeover and thus elevates the attacker’s privileges across the site.

Affected Systems

All installations of the WPBookit plugin from any version through 1.0.2, distributed by iqonicdesign and including the free WordPress edition, are affected regardless of other WordPress components or hosting environments. Any WordPress site that has loaded this plugin is impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. The EPSS score is below 1 %, suggesting exploitation attempts are currently rare but still plausible. It is not currently listed in the CISA KEV catalog. Attackers can exploit this flaw remotely from any network location with internet access to the WordPress site, without needing prior authentication. The path requires only an HTTP request that triggers the edit_profile_data() method, which is publicly accessible. The lack of authentication and authorization checks makes the attack straightforward once the endpoint is identified.

Generated by OpenCVE AI on April 22, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of WPBookit (greater than 1.0.2) to remove the unverified profile update functionality.
  • If upgrading is not immediately possible, disable or uninstall the WPBookit plugin to eliminate the attack surface.
  • Review user accounts for suspicious changes and reset any compromised passwords or email addresses.

Generated by OpenCVE AI on April 22, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14068 The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit_profile_data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00105}

 epss

{'score': 0.00109}

Fri, 27 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:* cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Iqonic
Iqonic wpbookit

Wed, 21 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit

Fri, 09 May 2025 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit_profile_data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account.
Title WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonic Wpbookit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:25.522Z

Reserved: 2025-04-18T18:08:49.740Z

Link: CVE-2025-3810

cve-icon Vulnrichment

Updated: 2025-05-09T03:42:47.308Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-09T03:15:24.150

Modified: 2025-06-27T17:39:17.577

Link: CVE-2025-3810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses