CVE-2025-3810

Name of the Vulnerable Software and Affected Versions WPBookit plugin for WordPress versions up to, and including, 1.0.2

Description The issue is related to privilege escalation via account takeover. This is due to the plugin not properly validating a user's identity prior to updating their details like password and email through the edit profile data() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses and passwords, including administrators, and leverage that to gain access to their account.

Recommendations For WPBookit plugin for WordPress versions up to, and including, 1.0.2, consider disabling the edit profile data() function until a patch is available to prevent unauthenticated attackers from changing user details. Restrict access to user account management features to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.