Description
Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability stems from incorrect privilege assignment within the iQonic Design WPBookit Pro WordPress plugin. An attacker who can exploit it can elevate their privileges, potentially granting themselves administrative rights. This weakness, categorized as CWE‑266, permits unauthorized escalation of authority, threatening the confidentiality, integrity, and availability of the affected site.

Affected Systems

It applies to iQonic Design’s WPBookit Pro plugin version 1.6.18 and all earlier releases. Any WordPress installation that has a vulnerable version is at risk.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is high severity, yet the EPSS score is under 1 % indicating a low current likelihood of exploitation. The vulnerability is not listed in CISA’s known exploited vulnerability catalog. Exploitation would typically be carried out via the WordPress administrative interface from a remote location, and would require an authenticated session or ability to manipulate the plugin’s code. Despite the low EPSS, the high severity warrants timely action.

Generated by OpenCVE AI on March 26, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit Pro to a version newer than 1.6.18 or install the vendor’s official patch if available.
  • If an upgrade is not immediately feasible, remove the plugin from the site or disable it for non‑privileged users.
  • Restrict WordPress administrative privileges to a small number of trusted accounts and enforce strong authentication.
  • After applying the fix, review audit logs for unauthorized privilege changes and verify that the vulnerability no longer exists.

Generated by OpenCVE AI on March 26, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit Pro
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit Pro
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
Title WordPress WPBookit Pro plugin <= 1.6.18 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Iqonicdesign Wpbookit Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.609Z

Reserved: 2026-02-02T12:53:26.261Z

Link: CVE-2026-25414

cve-icon Vulnrichment

Updated: 2026-03-26T15:49:43.414Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:50.180

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:46Z

Weaknesses