CVE-2025-48142 - Vulnerability Details

- WordPress Bookify <= 1.0.9 - Privilege Escalation Vulnerability

Description

Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects Bookify: from n/a through <= 1.0.9.

Published: 2025-08-20

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Bookify plugin for WordPress contains an incorrect privilege assignment flaw that allows a user with lower permissions to obtain higher privileges. This weakness, classified as CWE-266, can enable an attacker to perform administrative actions.

Affected Systems

The vulnerability is present in the Bookify plugin developed by Saad Iqbal. All released versions up through and including 1.0.9 are affected; earlier, undocumented releases may also contain the flaw.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity impact. While the EPSS score is currently below 1%, implying a low probability of exploitation at this time, the vulnerability remains a serious risk due to its potential to grant administrative control. The plugin is not listed in the CISA KEV catalog, yet the risk is elevated by the nature of the privilege escalation. The attack vector is inferred to involve authenticated access through the plugin’s front‑end or back‑end interfaces; a user with any existing role could potentially abuse the flaw to increase privileges. No public exploitation of this flaw has been reported, but its high score warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Saad Iqbal

Bookify

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0.9

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Bookify to the latest version that corrects the privilege assignment issue, if one is available.
If an upgrade is not available, disable or uninstall the Bookify plugin entirely to eliminate the vulnerability.
Apply least‑privilege principles by reviewing WordPress user roles and ensuring no unnecessary users have administrator rights.
Enable logging and monitor for unexpected role changes to detect potential exploitation attempts.

Generated by OpenCVE AI on April 30, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-28143	Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify allows Privilege Escalation. This issue affects Bookify: from n/a through 1.0.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00083.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/bookify/vulnerability/wordpress-bookify-1-0-9-privilege-escalation-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify allows Privilege Escalation. This issue affects Bookify: from n/a through 1.0.9.	Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects Bookify: from n/a through <= 1.0.9.
References	https://patchstack.com/database/wordpress/plugin/bookify/vulnerability/wordpress-bookify-1-0-9-privilege-escalation-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/bookify/vulnerability/wordpress-bookify-1-0-9-privilege-escalation-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 20 Aug 2025 08:15:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify allows Privilege Escalation. This issue affects Bookify: from n/a through 1.0.9.
Title		WordPress Bookify <= 1.0.9 - Privilege Escalation Vulnerability
Weaknesses		CWE-266
References		https://patchstack.com/database/wordpress/plugin/bookify/vulnerability/wordpress-bookify-1-0-9-privilege-escalation-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-08-20T08:03:35.039Z

Updated: 2026-04-28T16:12:52.319Z

Reserved: 2025-05-15T18:01:53.421Z

Link: CVE-2025-48142

Vulnrichment

Updated: 2025-08-20T14:05:34.866Z

NVD

Status : Deferred

Published: 2025-08-20T08:15:30.273

Modified: 2026-04-23T15:30:52.543

Link: CVE-2025-48142

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses

CWE-266

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object