PT-2025-1579 · WordPress · Wpbookit
István Márton
·
Published
2025-01-09
·
Updated
2025-06-27
·
CVE-2024-10215
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WPBookit plugin for WordPress versions up to, and including, 1.6.4
Description
The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
Recommendations
For WPBookit plugin for WordPress versions up to, and including, 1.6.4, update to a version later than 1.6.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the WordPress installation to minimize the risk of exploitation.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wpbookit