CVE-2025-3811 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the WPBookit plugin for WordPress, developed by iqonicdesign. The vulnerability arises from insufficient validation of user identity in the edit_newdata_customer_callback() function, which handles updating user details such as email addresses. Because the plugin does not verify that the requestor is authorized to modify the targeted user's data, an unauthenticated attacker can submit crafted requests to change any user's email address, including those of administrators. Once the email is changed, the attacker can initiate a password reset process, receiving reset links or tokens sent to the attacker-controlled email, thereby gaining full access to the victim's account. This attack requires no authentication or user interaction and can be performed remotely over the network. The vulnerability affects all versions of WPBookit up to and including 1.0.2. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable and dangerous, especially on sites where WPBookit is installed and administrators use the plugin. The lack of a patch or official fix at the time of publication increases the urgency for mitigation.

This vulnerability allows attackers to take over any user account on a WordPress site running the vulnerable WPBookit plugin, including administrator accounts. Compromise of administrator accounts can lead to complete site takeover, enabling attackers to install malware, deface websites, steal sensitive data, or pivot to other internal systems. The ability to reset passwords without authentication severely undermines user account security and trust. For organizations, this can result in data breaches, loss of customer trust, regulatory penalties, and operational disruption. Given WordPress's widespread use globally and the plugin's presence in booking or scheduling contexts, the impact can affect small businesses, e-commerce sites, and enterprises alike. The vulnerability also poses risks to hosting providers and managed WordPress services that may have multiple clients using the plugin. The absence of known exploits in the wild does not diminish the threat, as the vulnerability is straightforward to exploit remotely and anonymously.

Until an official patch is released, organizations should immediately disable or uninstall the WPBookit plugin to prevent exploitation. If disabling is not feasible, restrict access to the plugin's endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to the edit_newdata_customer_callback() function or related URLs. Monitor logs for suspicious requests attempting to change user emails or reset passwords. Enforce multi-factor authentication (MFA) on all administrator accounts to reduce the risk of account takeover even if password resets occur. Regularly audit user accounts for unauthorized email changes and password resets. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for prompt patch deployment once available. Consider isolating critical WordPress instances behind VPNs or IP whitelisting to limit exposure. Educate site administrators about the risk and signs of compromise to enable rapid incident response.