CVE-2026-25414
Received Received - Intake
Privilege Escalation via Incorrect Privilege Assignment in WPBookit Pro

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25414
EUVD
EUVD-2026-15721
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
iqonicdesign wpbookit_pro to 1.6.18 (inc)
iqonicdesign wpbookit_pro From 1.0.0 (inc) to 1.6.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Incorrect Privilege Assignment issue in the iqonicdesign WPBookit Pro plugin (version up to 1.6.18). It allows privilege escalation, meaning that a user could gain higher access rights than intended.

Impact Analysis

The impact of this vulnerability is that an attacker or unauthorized user could escalate their privileges within the affected system, potentially gaining access to restricted functions or data that should be protected.

Compliance Impact

CVE-2026-25414 is a high-priority privilege escalation vulnerability that allows attackers with low-level access to escalate their privileges and potentially gain full control over the affected WordPress website.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations and standards such as GDPR and HIPAA.

Organizations using the vulnerable WPBookit Pro plugin without mitigation or patching risk non-compliance due to potential data breaches or unauthorized data access stemming from this vulnerability.

Detection Guidance

This vulnerability affects the WordPress WPBookit Pro plugin versions up to and including 1.6.18. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.

You can check the installed plugin version by accessing your WordPress installation directory and running commands such as:

  • Navigate to the plugins directory: cd wp-content/plugins/wpbookit-pro
  • Check the plugin version in the main plugin file (e.g., wpbookit-pro.php) using: grep 'Version' wpbookit-pro.php

Additionally, monitoring for unusual privilege escalation attempts or suspicious activity from low-privilege users could indicate exploitation attempts.

Mitigation Strategies

Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule provided by Patchstack to block exploitation attempts.

Other recommended steps include:

  • Apply Patchstack’s mitigation measures to block attacks exploiting this vulnerability.
  • Limit user privileges by ensuring that users only have the minimum necessary access.
  • Monitor your WordPress site for suspicious activity, especially from low-privilege accounts.
  • Update the WPBookit Pro plugin to a patched version as soon as it becomes available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart