Privilege Escalation in WPBookit Plugin for WordPress
CVE-2025-3811

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WPbookit
Vendor: CVE Published:; 9 May 2025

What is CVE-2025-3811?

The WPBookit plugin for WordPress is exposed to a privilege escalation risk that allows unauthenticated attackers to take over user accounts, including administrative ones. This vulnerability arises from inadequate validation of user identity during the process of updating user information, enabling attackers to modify email addresses of arbitrary users. Through the faulty edit_newdata_customer_callback() function, an attacker can exploit this weakness to reset a user's password and gain full access to their account. Admins and users are advised to check their plugin versions and apply necessary updates to enhance security.

Affected Version(s)

WPBookit * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3278939/wpbo...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 9, 2025
Vulnerability Reserved
Apr 18, 2025

Credit

Kenneth Dunn