CVE-2024-10215: 
WordPress vulnerability analysis and mitigation

The WPBookit plugin for WordPress contains a critical vulnerability (CVE-2024-10215) affecting versions up to and including 1.6.4. This vulnerability allows for Arbitrary User Password Change due to the plugin providing user-controlled access to objects, enabling unauthorized users to bypass authentication controls (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-639 (Authorization Bypass Through User-Controlled Key). This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows unauthenticated attackers to change user passwords and potentially take over administrator accounts, which could lead to complete compromise of affected WordPress installations (NVD).

Based on the changelog, the vulnerability was addressed in version 1.6.10 released on January 23, 2025, which included security fixes related to file uploads (WPBookit Changelog). Users are advised to update to the latest version of the plugin immediately.