CVE-2026-40780
Authentication Bypass in BookIt via Alternate Path
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stellarwp | bookit | From 2.5.4.1 (inc) to 2.5.4.1 (exc) |
| stellarwp | bookit | From 2.5.1 (inc) to 2.5.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40780 is a Broken Authentication vulnerability in the WordPress BookIt Plugin versions 2.5.1 and below. It allows unauthenticated attackers to bypass normal authentication mechanisms by exploiting an alternate path or channel in the password recovery process.
This means attackers can perform actions usually restricted to higher-privileged users, potentially gaining admin access without proper credentials.
The vulnerability has a CVSS severity score of 7.5 and is classified under OWASP Top 10 A7: Identification and Authentication Failures.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized administrative access to your WordPress site using the BookIt plugin.
- Attackers can bypass authentication controls without needing valid credentials.
- They may perform privileged actions such as modifying site content, changing configurations, or accessing sensitive data.
- Such unauthorized access can lead to site defacement, data breaches, or further exploitation.
The vulnerability could be exploited in mass campaigns targeting thousands of websites, increasing the risk of widespread impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the BookIt plugin allows unauthenticated attackers to bypass authentication and potentially gain admin access, which constitutes an Identification and Authentication Failure as classified by OWASP Top 10 A7.
Such authentication bypass issues can lead to unauthorized access to sensitive data or administrative functions, which may result in non-compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or health information.
Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by exposing systems to unauthorized access and potential data breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WordPress BookIt plugin to version 2.5.4.1 or later.
If you are using Patchstack, enable auto-updates for vulnerable plugins to ensure you receive patches promptly.
Alternatively, seek assistance from your hosting provider or developer to apply the necessary updates or patches.