CVE-2026-25414 - Vulnerability Details - OpenCVE

Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Vendors	Products
Iqonicdesign Subscribe	Wpbookit Pro Subscribe
Wordpress Subscribe	Wordpress Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Iqonicdesign Subscribe	Wpbookit Pro Subscribe
Wordpress Subscribe	Wordpress Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-privilege-escalation-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Iqonicdesign Iqonicdesign wpbookit Pro Wordpress Wordpress wordpress
Vendors & Products		Iqonicdesign Iqonicdesign wpbookit Pro Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
Title		WordPress WPBookit Pro plugin <= 1.6.18 - Privilege Escalation vulnerability
Weaknesses		CWE-266
References		https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-privilege-escalation-vulnerability?_s_id=cve

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:48.841Z

Updated: 2026-03-26T15:50:04.741Z

Reserved: 2026-02-02T12:53:26.261Z

Link: CVE-2026-25414

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:16:50.180

Modified: 2026-03-25T17:16:50.180

Link: CVE-2026-25414

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:38:28Z

Weaknesses

CWE-266

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25414", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:26.261Z", "datePublished": "2026-03-25T16:14:48.841Z", "dateUpdated": "2026-03-26T15:50:04.741Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "wpbookit-pro", "product": "WPBookit Pro", "vendor": "iqonicdesign", "versions": [{"lessThanOrEqual": "<= 1.6.18", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.697Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.<p>This issue affects WPBookit Pro: from n/a through <= 1.6.18.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.841Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress WPBookit Pro plugin <= 1.6.18 - Privilege Escalation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:49:57.737532Z", "id": "CVE-2026-25414", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:50:04.741Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.18]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WPBookit Pro", "source": "cna", "vendor": "iqonicdesign"}, "product": "wpbookit_pro", "vendor": "iqonicdesign"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:53:47.951088+00:00", "value": {"mitigation_remediation": ["Update WPBookit Pro to a version later than 1.6.18 if possible, such as 1.6.19 or newer.", "If an update cannot be applied, disable or remove the plugin entirely.", "Review all user roles and permissions to ensure no unintended high-level privileges remain assigned.", "Continuously monitor vendor advisories for additional updates or security notices."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is WPBookit Pro from iqonicdesign. All releases from the initial launch through version 1.6.18 are susceptible. Users running any of these versions should consider the security risk.", "description_and_impact": "The vulnerability stems from an incorrect privilege assignment in the WPBookit Pro plugin, enabling a user to elevate their access level. This flaw permits an attacker to gain higher privileges on the WordPress site, potentially moving from a standard user role to an administrative role. The issue is categorized as a privilege management weakness (CWE\u2011266).", "risk_and_exploitability": "The CVSS score is not disclosed, and EPSS data is unavailable, so the exact severity and likelihood of exploitation cannot be determined. EPSS information is missing, and the vulnerability is not cataloged in CISA\u2019s KEV, indicating no publicly reported exploitation. Based on the description, it is inferred that the attack likely requires authenticated access to a user account, but the documentation does not confirm whether administrative rights are necessary. The lack of a cataloged exploit does not rule out the possibility that the flaw could be leveraged by a malicious actor who can manipulate role assignments."}}}}, "created": "2026-03-25T21:44:32.764613+00:00", "updated": "2026-03-26T11:38:28.258074+00:00", "vendors": ["iqonicdesign", "iqonicdesign$PRODUCT$wpbookit_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}