CVE-2025-3811: 
WordPress vulnerability analysis and mitigation

The WPBookit plugin for WordPress contains a privilege escalation vulnerability via account takeover in versions up to and including 1.0.2 (CVE-2025-3811). The vulnerability was discovered and disclosed on May 8, 2025. This security issue affects the plugin's user detail update functionality, specifically in the editnewdatacustomer_callback() function (NVD, Wordfence).

The vulnerability stems from improper validation of user identity before allowing email address updates through the editnewdatacustomer_callback() function. The issue has been assigned a CVSS v3.1 score of 9.8 (Critical), indicating the highest severity level. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

This vulnerability allows unauthenticated attackers to modify any user's email address, including administrators. Once an attacker changes a user's email address, they can leverage WordPress's password reset functionality to gain unauthorized access to the account, effectively achieving privilege escalation (NVD).

A patch has been implemented in the WordPress plugin repository as evidenced by the code changes in the class.wpb-customer-controller.php file. The update adds proper authentication checks and user validation before allowing email address modifications (WordPress Plugin).