Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation.
This issue affects BookIt: from n/a before 2.5.4.1.
AnalysisAI
Authentication bypass in Liquid Web / StellarWP BookIt WordPress plugin versions before 2.5.4.1 allows remote unauthenticated attackers to abuse the password recovery channel to take over accounts. The flaw maps to CWE-288 (alternate path/channel) and carries a CVSS 7.5 (high) integrity impact; no public exploit identified at time of analysis, though Patchstack has catalogued the issue for the WordPress ecosystem.
Technical ContextAI
BookIt is a WordPress booking/appointment plugin distributed by Liquid Web's StellarWP brand (CPE cpe:2.3:a:liquid_web_/_stellarwp:bookit). The weakness class is CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin enforces authentication on its primary login path but exposes an unauthenticated secondary path (here, the password recovery / reset flow) that can be abused to achieve the same trust level as a logged-in user. Typical implementations of this bug class in WordPress plugins involve predictable reset tokens, missing nonce/permission checks on reset endpoints, or trusting attacker-supplied user identifiers when generating or consuming a reset link.
RemediationAI
Upgrade the BookIt plugin to version 2.5.4.1 or later via the WordPress plugin updater or by downloading the patched release from the vendor - this is the primary fix per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/bookit/vulnerability/wordpress-bookit-plugin-2-5-1-broken-authentication-vulnerability). If immediate patching is not possible, compensating controls include temporarily deactivating the BookIt plugin (side effect: booking functionality will be unavailable to site visitors), restricting access to the plugin's password-recovery endpoint at the web server or WAF layer (side effect: legitimate users will be unable to self-service password resets and must use admin-driven resets), and enforcing strong WordPress administrator-level controls such as 2FA on the underlying user accounts so a stolen plugin-level credential does not directly translate into a full site compromise.
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. Rated cr
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Boo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33948
GHSA-6wpw-j4xp-qqv8