CVE-2025-48142: 
WordPress vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2025-48142) was discovered in Saad Iqbal's Bookify WordPress plugin, affecting versions through 1.0.9. The vulnerability was reported by security researcher Denver Jackson and was publicly disclosed on July 29, 2025 (Patchstack).

The vulnerability is classified as an Incorrect Privilege Assignment (CWE-266) issue. It received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Subscriber-level privileges to exploit, indicating it affects authenticated users with low-level access permissions (Patchstack).

This high-severity vulnerability could allow malicious actors to escalate their low-privileged account to higher privileges, potentially leading to full website control if administrative privileges are gained. The vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 1.0.10 of the Bookify plugin. Users are strongly advised to update to version 1.0.10 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).