Skip to main content

BookIt EUVDEUVD-2026-33948

| CVE-2026-40780 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-02 Patchstack GHSA-6wpw-j4xp-qqv8
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 17:01 EUVD
Analysis Generated
Jun 02, 2026 - 16:01 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation.

This issue affects BookIt: from n/a before 2.5.4.1.

AnalysisAI

Authentication bypass in Liquid Web / StellarWP BookIt WordPress plugin versions before 2.5.4.1 allows remote unauthenticated attackers to abuse the password recovery channel to take over accounts. The flaw maps to CWE-288 (alternate path/channel) and carries a CVSS 7.5 (high) integrity impact; no public exploit identified at time of analysis, though Patchstack has catalogued the issue for the WordPress ecosystem.

Technical ContextAI

BookIt is a WordPress booking/appointment plugin distributed by Liquid Web's StellarWP brand (CPE cpe:2.3:a:liquid_web_/_stellarwp:bookit). The weakness class is CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin enforces authentication on its primary login path but exposes an unauthenticated secondary path (here, the password recovery / reset flow) that can be abused to achieve the same trust level as a logged-in user. Typical implementations of this bug class in WordPress plugins involve predictable reset tokens, missing nonce/permission checks on reset endpoints, or trusting attacker-supplied user identifiers when generating or consuming a reset link.

RemediationAI

Upgrade the BookIt plugin to version 2.5.4.1 or later via the WordPress plugin updater or by downloading the patched release from the vendor - this is the primary fix per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/bookit/vulnerability/wordpress-bookit-plugin-2-5-1-broken-authentication-vulnerability). If immediate patching is not possible, compensating controls include temporarily deactivating the BookIt plugin (side effect: booking functionality will be unavailable to site visitors), restricting access to the plugin's password-recovery endpoint at the web server or WAF layer (side effect: legitimate users will be unable to self-service password resets and must use admin-driven resets), and enforcing strong WordPress administrator-level controls such as 2FA on the underlying user accounts so a stolen plugin-level credential does not directly translate into a full site compromise.

Share

EUVD-2026-33948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy