What is the CVSS score of EUVD-2026-37666?

EUVD-2026-37666 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of Booknetic are affected by EUVD-2026-37666?

Booknetic, a WordPress appointment booking plugin deployed across thousands of websites, contains a critical account takeover vulnerability (CVE-2026-25439) in versions 4.8.5 and earlier that permits…

How to fix or mitigate EUVD-2026-37666?

Within 24 hours: Conduct inventory of all WordPress installations running Booknetic and confirm version numbers to identify affected systems. Within 7 days: Deploy interim compensating controls (see below) and initiate evaluation of alternative appointment scheduling platforms. Within 30 days: Monitor Patchstack and vendor advisories for patch availability; execute immediate patching or complete migration upon patch release.

Booknetic EUVD-2026-37666

| CVE-2026-25439 HIGH

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-06-17 Patchstack

Information Disclosure Booknetic

8.1

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable plugin endpoint with no auth or user interaction (AV:N/PR:N/UI:N); AC:H reflects required victim enumeration or sequencing; full account takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 12:27 vuln.today

DescriptionCVE.org

Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.

AnalysisAI

Account takeover in Booknetic WordPress appointment booking plugin versions 4.8.5 and earlier allows remote unauthenticated attackers to bypass authentication controls and gain access to arbitrary user accounts. The Patchstack advisory characterizes this as a broken authentication weakness (CWE-288) with high impact across confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running Booknetic ≤ 4.8.5

Delivery

Enumerate target account identifier

Exploit

Send crafted request to broken auth endpoint

Execution

Bypass identity validation (CWE-288)

Persist

Obtain authenticated session as victim

Impact

Access or modify victim booking and account data

Access

Identify WordPress site running Booknetic ≤ 4.8.5

Delivery

Enumerate target account identifier

Exploit

Send crafted request to broken auth endpoint

Execution

Bypass identity validation (CWE-288)

Persist

Obtain authenticated session as victim

Impact

Access or modify victim booking and account data

Vulnerability AssessmentAI

Exploitation	The target WordPress site must have the Booknetic plugin installed and active at version 4.8.5 or earlier, with the Booknetic-managed authentication or customer-account workflow reachable from the network (typical for a public booking site). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 3.1 base score is 8.1 (High) driven by network vector, no privileges, no user interaction, and high CIA impact - but with AC:H reflecting non-trivial preconditions (timing, guessing, or chaining required). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote unauthenticated attacker targets a WordPress site running Booknetic ≤ 4.8.5 and sends a crafted request to the plugin's authentication-handling endpoint that exercises the alternate authentication path missing proper identity validation, returning a session or account context for a victim user. From the hijacked account the attacker can read the victim's appointment, contact and payment-related data and modify or cancel bookings, with high integrity and availability impact on that account. …
Remediation	Upstream fix available per Patchstack advisory; a specific released patched version is not independently confirmed in the provided data, so administrators should consult https://patchstack.com/database/wordpress/plugin/booknetic/vulnerability/wordpress-booknetic-plugin-4-8-5-account-takeover-vulnerability and the FS-Code Booknetic changelog for the exact post-4.8.5 release that contains the fix, then upgrade through the WordPress plugin updater. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct inventory of all WordPress installations running Booknetic and confirm version numbers to identify affected systems. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-37666 vulnerability details – vuln.today

Back

Booknetic EUVD-2026-37666

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code