CVE-2025-3810: 
WordPress vulnerability analysis and mitigation

The WPBookit plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-3810) discovered and disclosed on May 8, 2025. This security flaw affects all versions up to and including 1.0.2, residing in the plugin's user profile update functionality. The vulnerability stems from improper user identity validation in the editprofiledata() function (NVD, Wiz).

The vulnerability exists due to the plugin not properly validating a user's identity prior to updating their details through the editprofiledata() function. The security flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring indicates network accessibility, low attack complexity, and no required privileges or user interaction for successful exploitation (NVD).

The vulnerability allows unauthenticated attackers to modify any user's email address and password, including those of administrators. This can lead to complete account takeover and unauthorized access to administrative functions, potentially compromising the entire WordPress installation (NVD, Wiz).

Website administrators running the WPBookit plugin should immediately update to a version newer than 1.0.2 if available. If no patch is available, it is recommended to disable or remove the plugin until a security update is released (Wiz).