Skip to main content

Wpbookit Pro CVE-2026-25414

| EUVDEUVD-2026-15721 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-584j-3pf8-566f
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15721
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.

AnalysisAI

WPBookit Pro contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows unauthenticated or low-privileged attackers to escalate their privileges within the WordPress plugin. All versions through 1.6.18 are affected, enabling attackers to gain unauthorized administrative or elevated capabilities. The vulnerability was reported by Patchstack and tracked under EUVD-2026-15721, though CVSS scoring data is currently unavailable.

Technical ContextAI

The vulnerability exists in the WPBookit Pro WordPress plugin (CPE: cpe:2.3:a:iqonicdesign:wpbookit_pro), a booking and appointment management plugin for WordPress. The root cause falls under CWE-266 (Incorrect Privilege Assignment), which describes flaws in how the application assigns, manages, or validates user roles and capabilities. In the WordPress context, this typically involves improper capability checks on administrative functions, REST API endpoints, or AJAX handlers that fail to verify user permissions before executing sensitive operations. The plugin's booking management functions likely lack proper capability validation, allowing attackers to invoke privileged operations (such as creating bookings, modifying settings, or accessing sensitive data) without appropriate role-based access control checks.

RemediationAI

Immediately upgrade WPBookit Pro to a version newer than 1.6.18 (consult the vendor release notes or Patchstack database for the exact patched version). If an immediate upgrade is not feasible, disable or deactivate the WPBookit Pro plugin until patching can be completed. As a network-level mitigation, restrict direct access to the WordPress admin panel and plugin AJAX endpoints to trusted IP ranges, and implement Web Application Firewall (WAF) rules to block suspicious privilege escalation attempts. Additionally, audit all booking records and user accounts created or modified while running vulnerable versions, as attackers may have already exploited this flaw to create backdoor accounts or tamper with bookings.

Share

CVE-2026-25414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy