Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
AnalysisAI
WPBookit Pro contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows unauthenticated or low-privileged attackers to escalate their privileges within the WordPress plugin. All versions through 1.6.18 are affected, enabling attackers to gain unauthorized administrative or elevated capabilities. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15721, though CVSS scoring data is currently unavailable.
Technical ContextAI
The vulnerability exists in the WPBookit Pro WordPress plugin (CPE: cpe:2.3:a:iqonicdesign:wpbookit_pro), a booking and appointment management plugin for WordPress. The root cause falls under CWE-266 (Incorrect Privilege Assignment), which describes flaws in how the application assigns, manages, or validates user roles and capabilities. In the WordPress context, this typically involves improper capability checks on administrative functions, REST API endpoints, or AJAX handlers that fail to verify user permissions before executing sensitive operations. The plugin's booking management functions likely lack proper capability validation, allowing attackers to invoke privileged operations (such as creating bookings, modifying settings, or accessing sensitive data) without appropriate role-based access control checks.
RemediationAI
Immediately upgrade WPBookit Pro to a version newer than 1.6.18 (consult the vendor release notes or Patchstack database for the exact patched version). If an immediate upgrade is not feasible, disable or deactivate the WPBookit Pro plugin until patching can be completed. As a network-level mitigation, restrict direct access to the WordPress admin panel and plugin AJAX endpoints to trusted IP ranges, and implement Web Application Firewall (WAF) rules to block suspicious privilege escalation attempts. Additionally, audit all booking records and user accounts created or modified while running vulnerable versions, as attackers may have already exploited this flaw to create backdoor accounts or tamper with bookings.
More in Wpbookit Pro
View allSame weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15721
GHSA-584j-3pf8-566f