Primary

Context

WPBookit Plugin Privilege Escalation Vulnerability via Email Update

Vulnerability

A privilege escalation vulnerability allowing account takeover has been identified in the WPBookit plugin for WordPress, affecting all versions through 1.0.2. The issue arises because the plugin fails to properly verify a user's identity before allowing changes to be made to user details, such as email addresses, in the edit_newdata_customer_callback() function. This vulnerability enables unauthenticated attackers to alter the email addresses of any user, including administrators. Once the email is changed, the attacker can reset the user's password and gain access to their account.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling attackers to gain access to user accounts, including those of administrators.

Remediation

Users are advised to update the WPBookit plugin to version 1.0.3 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WPBookit Plugin Privilege Escalation Vulnerability via Email Update

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating