CVE-2026-40780
Deferred Deferred - Pending Action
Authentication Bypass in BookIt via Alternate Path

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Patchstack

Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-40780
EUVD
EUVD-2026-33948
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stellarwp bookit From 2.5.4.1 (inc) to 2.5.4.1 (exc)
stellarwp bookit From 2.5.1 (inc) to 2.5.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40780 is a Broken Authentication vulnerability in the WordPress BookIt Plugin versions 2.5.1 and below. It allows unauthenticated attackers to bypass normal authentication mechanisms by exploiting an alternate path or channel in the password recovery process.

This means attackers can perform actions usually restricted to higher-privileged users, potentially gaining admin access without proper credentials.

The vulnerability has a CVSS severity score of 7.5 and is classified under OWASP Top 10 A7: Identification and Authentication Failures.

Impact Analysis

This vulnerability can allow attackers to gain unauthorized administrative access to your WordPress site using the BookIt plugin.

  • Attackers can bypass authentication controls without needing valid credentials.
  • They may perform privileged actions such as modifying site content, changing configurations, or accessing sensitive data.
  • Such unauthorized access can lead to site defacement, data breaches, or further exploitation.

The vulnerability could be exploited in mass campaigns targeting thousands of websites, increasing the risk of widespread impact.

Mitigation Strategies

To mitigate this vulnerability, immediately update the WordPress BookIt plugin to version 2.5.4.1 or later.

If you are using Patchstack, enable auto-updates for vulnerable plugins to ensure you receive patches promptly.

Alternatively, seek assistance from your hosting provider or developer to apply the necessary updates or patches.

Compliance Impact

The vulnerability in the BookIt plugin allows unauthenticated attackers to bypass authentication and potentially gain admin access, which constitutes an Identification and Authentication Failure as classified by OWASP Top 10 A7.

Such authentication bypass issues can lead to unauthorized access to sensitive data or administrative functions, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.

Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by exposing systems to unauthorized access and potential data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart