Description
Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is unauthenticated broken authentication in Booknetic plugin versions 4.8.5 and earlier, allowing an attacker to log in as any user, including administrators. This can give the attacker full control over the WordPress site, enabling data theft, defacement, and further compromise. The weakness is classified as improper authentication mechanisms (CWE‑288).

Affected Systems

The affected product is the WordPress Booknetic plugin from fs‑code, any version up to and including 4.8.5. Site owners running these versions via WordPress are at risk. No additional vendor or product details are listed.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is not provided and it is not listed in the CISA KEV catalog, so exploitation likelihood remains uncertain, but the unauthenticated nature and popularity of the plugin suggest a moderate‑to‑high potential for active attacks. An attacker can exploit the flaw through the plugin’s authentication endpoints with no special privileges.

Generated by OpenCVE AI on June 18, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booknetic plugin to the latest available version (above 4.8.5).
  • If an update is not immediately possible, deactivate or remove the Booknetic plugin until a patch is applied.
  • Implement strict password policies and enable two‑factor authentication for WordPress accounts to reduce the impact of any future authentication flaws.

Generated by OpenCVE AI on June 18, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Fs-code
Fs-code booknetic
Wordpress
Wordpress wordpress
Vendors & Products Fs-code
Fs-code booknetic
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.
Title WordPress Booknetic plugin <= 4.8.5 - Account Takeover vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Fs-code Booknetic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:37:48.671Z

Reserved: 2026-02-02T12:53:40.963Z

Link: CVE-2026-25439

cve-icon Vulnrichment

Updated: 2026-06-17T12:37:35.720Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel