CVE-2025-3810 is a critical security vulnerability affecting the WPBookit plugin for WordPress, developed by iqonicdesign. This vulnerability is classified under CWE-639, which pertains to authorization bypass through user-controlled keys. The flaw exists in all versions up to and including 1.0.2 of the plugin. The root cause is improper validation of user identity within the edit_profile_data() function. Specifically, the plugin fails to verify that the user requesting changes to profile details such as email and password is authorized to do so. This lack of validation allows unauthenticated attackers to modify arbitrary users' credentials, including those of administrators. By changing an administrator’s email and password, an attacker can effectively take over the account, gaining full administrative access to the WordPress site. The vulnerability has a CVSS 3.1 base score of 9.8, indicating a critical severity level. The vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) shows that the attack can be performed remotely over the network without any privileges or user interaction, and it impacts confidentiality, integrity, and availability to a high degree. No patches or fixes have been published at the time of this report, and there are no known exploits in the wild yet. However, the ease of exploitation combined with the potential for complete site takeover makes this a highly urgent issue for any site using the affected plugin versions.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the WPBookit plugin for booking or scheduling services. Successful exploitation can lead to full administrative control over the affected WordPress site, enabling attackers to steal sensitive data, deface websites, inject malicious code, or use the compromised site as a foothold for further attacks within the organization's network. This could disrupt business operations, damage reputation, and lead to regulatory non-compliance, particularly under GDPR, due to unauthorized access and potential data breaches. Organizations in sectors such as hospitality, healthcare, education, and government that use WPBookit for customer-facing services are particularly vulnerable. The ability to escalate privileges without authentication means attackers can easily compromise sites without prior access, increasing the attack surface and risk of widespread exploitation across multiple organizations.

Immediate mitigation steps include: 1) Disabling the WPBookit plugin until a security patch is released by the vendor. 2) Monitoring WordPress sites for unusual account changes or login activity, especially changes to administrator accounts. 3) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the edit_profile_data() function or related endpoints. 4) Restricting access to WordPress admin interfaces by IP whitelisting or VPN access where feasible. 5) Enforcing multi-factor authentication (MFA) for all administrator accounts to reduce the impact of credential compromise. 6) Regularly backing up WordPress sites and databases to enable rapid restoration in case of compromise. 7) Once a patch is available, promptly updating the WPBookit plugin to the fixed version. Additionally, organizations should conduct security audits of their WordPress installations and educate administrators about this vulnerability and signs of exploitation.