The WPBookit plugin for WordPress, developed by iqonicdesign, contains a critical authorization bypass vulnerability identified as CVE-2025-3810. This vulnerability arises from improper validation of user identity in the edit_profile_data() function, which handles updates to user details such as passwords and email addresses. Specifically, the plugin fails to verify that the request to update profile data originates from the legitimate user or an authorized administrator. Consequently, an unauthenticated attacker can craft requests to modify arbitrary users' credentials, including those of administrator accounts. This effectively allows privilege escalation and full account takeover without requiring any prior authentication or user interaction. The vulnerability is classified under CWE-639, which involves authorization bypass through user-controlled keys or parameters. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's ease of exploitation (network attack vector, no privileges required, no user interaction) and its severe impact on confidentiality, integrity, and availability. The vulnerability affects all versions of WPBookit up to and including 1.0.2. As of the published date, no official patches or updates have been released, and no active exploitation has been observed. Given the widespread use of WordPress and the potential for administrative account compromise, this vulnerability represents a significant security risk.

The impact of CVE-2025-3810 is severe for organizations running WordPress sites with the WPBookit plugin installed. Successful exploitation allows attackers to take over any user account, including administrators, leading to complete control over the affected WordPress instance. This can result in unauthorized data access, modification, or deletion, site defacement, deployment of malware or ransomware, and use of the compromised site as a launchpad for further attacks within an organization's network. The breach of administrator accounts undermines the integrity and availability of the website and can lead to loss of customer trust, regulatory penalties, and financial damage. Since the vulnerability requires no authentication or user interaction, automated mass exploitation attempts are likely once public awareness increases. Organizations with publicly accessible WordPress sites are particularly at risk, as attackers can exploit this remotely over the internet.

Until an official patch is released, organizations should take immediate steps to mitigate the risk: 1) Disable or uninstall the WPBookit plugin if it is not essential to business operations. 2) Restrict access to WordPress administrative interfaces using IP whitelisting, VPNs, or web application firewalls (WAFs) to block unauthorized requests targeting the edit_profile_data() function. 3) Monitor web server and application logs for suspicious requests attempting to modify user profiles without authentication. 4) Implement multi-factor authentication (MFA) for all administrative accounts to reduce the impact of credential compromise. 5) Regularly back up WordPress sites and databases to enable rapid recovery in case of compromise. 6) Follow vendor communications closely and apply security patches immediately once available. 7) Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts. 8) Conduct a thorough audit of user accounts and reset passwords for all users, especially administrators, if compromise is suspected.