CVE-2025-3811

Name of the Vulnerable Software and Affected Versions WPBookit plugin for WordPress versions up to, and including, 1.0.2

Description The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover. This is due to the plugin not properly validating a user's identity prior to updating their details like email through the edit newdata customer callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Recommendations For WPBookit plugin for WordPress versions up to, and including, 1.0.2, consider disabling the edit newdata customer callback() function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. Update the plugin to a version that includes the fix for this issue, if available.