Description
The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Published: 2025-05-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Now
AI Analysis

Impact

The WPBookit plugin contains an insecure direct object reference that allows any unauthenticated user to submit a request to update another user’s email address. Because the plugin fails to verify the caller’s identity, an attacker can change the email of any account, including administrators, and then use that address to reset the password and assume the victim’s identity. This flaw provides a clear path to full account takeover for the targeted user.

Affected Systems

All installations of the WPBookit WordPress plugin with version number 1.0.2 or earlier. The vulnerable component is the edit_newdata_customer_callback() function located in the core/admin classes for the plugin.

Risk and Exploitability

The CVSS base score of 9.8 indicates critical severity, but the EPSS score of less than 1% implies the likelihood of exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be via a crafted HTTP request to the plugin’s admin interface; the flaw requires no prior authentication, so the path is straightforward once the attacker locates the vulnerable endpoint.

Generated by OpenCVE AI on April 21, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit to the latest available version.
  • If an immediate upgrade is not possible, disable or restrict the customer email editing feature to authenticated administrators only.
  • Monitor access to the edit_newdata_customer_callback endpoint for unexpected POST requests and review audit logs for unauthorized email changes.

Generated by OpenCVE AI on April 21, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14067 The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00105}

 epss

{'score': 0.00109}

Fri, 27 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:* cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Iqonic
Iqonic wpbookit

Wed, 21 May 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit

Fri, 09 May 2025 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit_newdata_customer_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Title WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonic Wpbookit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:25.332Z

Reserved: 2025-04-18T18:14:29.105Z

Link: CVE-2025-3811

cve-icon Vulnrichment

Updated: 2025-05-09T03:41:25.847Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-09T03:15:24.307

Modified: 2025-06-27T17:39:22.693

Link: CVE-2025-3811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses