CVE-2026-25414
Received Received - Intake

Privilege Escalation via Incorrect Privilege Assignment in WPBookit Pro

Vulnerability report for CVE-2026-25414, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description

Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
iqonicdesign wpbookit_pro to 1.6.18 (inc)
iqonicdesign wpbookit_pro From 1.0.0 (inc) to 1.6.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Incorrect Privilege Assignment issue in the iqonicdesign WPBookit Pro plugin (version up to 1.6.18). It allows privilege escalation, meaning that a user could gain higher access rights than intended.

Impact Analysis

The impact of this vulnerability is that an attacker or unauthorized user could escalate their privileges within the affected system, potentially gaining access to restricted functions or data that should be protected.

Compliance Impact

CVE-2026-25414 is a high-priority privilege escalation vulnerability that allows attackers with low-level access to escalate their privileges and potentially gain full control over the affected WordPress website.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data, which may result in violations of data protection regulations and standards such as GDPR and HIPAA.

Organizations using the vulnerable WPBookit Pro plugin without mitigation or patching risk non-compliance due to potential data breaches or unauthorized data access stemming from this vulnerability.

Detection Guidance

This vulnerability affects the WordPress WPBookit Pro plugin versions up to and including 1.6.18. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.

You can check the installed plugin version by accessing your WordPress installation directory and running commands such as:

  • Navigate to the plugins directory: cd wp-content/plugins/wpbookit-pro
  • Check the plugin version in the main plugin file (e.g., wpbookit-pro.php) using: grep 'Version' wpbookit-pro.php

Additionally, monitoring for unusual privilege escalation attempts or suspicious activity from low-privilege users could indicate exploitation attempts.

Mitigation Strategies

Since no official patch is currently available for this vulnerability, immediate mitigation involves applying the mitigation rule provided by Patchstack to block exploitation attempts.

Other recommended steps include:

  • Apply Patchstack’s mitigation measures to block attacks exploiting this vulnerability.
  • Limit user privileges by ensuring that users only have the minimum necessary access.
  • Monitor your WordPress site for suspicious activity, especially from low-privilege accounts.
  • Update the WPBookit Pro plugin to a patched version as soon as it becomes available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart