CVE-2026-25414
Privilege Escalation via Incorrect Privilege Assignment in WPBookit Pro
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iqonicdesign | wpbookit_pro | to 1.6.18 (inc) |
| iqonicdesign | wpbookit_pro | From 1.0.0 (inc) to 1.6.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-25414 is a high-priority privilege escalation vulnerability that allows attackers with low-level access to escalate their privileges and potentially gain full control over the affected WordPress website.
Such unauthorized privilege escalation can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations and standards such as GDPR and HIPAA.
Organizations using the vulnerable WPBookit Pro plugin without mitigation or patching risk non-compliance due to potential data breaches or unauthorized data access stemming from this vulnerability.
Can you explain this vulnerability to me?
This vulnerability is an Incorrect Privilege Assignment issue in the iqonicdesign WPBookit Pro plugin (version up to 1.6.18). It allows privilege escalation, meaning that a user could gain higher access rights than intended.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker or unauthorized user could escalate their privileges within the affected system, potentially gaining access to restricted functions or data that should be protected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress WPBookit Pro plugin versions up to and including 1.6.18. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.
You can check the installed plugin version by accessing your WordPress installation directory and running commands such as:
- Navigate to the plugins directory: cd wp-content/plugins/wpbookit-pro
- Check the plugin version in the main plugin file (e.g., wpbookit-pro.php) using: grep 'Version' wpbookit-pro.php
Additionally, monitoring for unusual privilege escalation attempts or suspicious activity from low-privilege users could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule provided by Patchstack to block exploitation attempts.
Other recommended steps include:
- Apply Patchstackβs mitigation measures to block attacks exploiting this vulnerability.
- Limit user privileges by ensuring that users only have the minimum necessary access.
- Monitor your WordPress site for suspicious activity, especially from low-privilege accounts.
- Update the WPBookit Pro plugin to a patched version as soon as it becomes available.