{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25414", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:26.261Z", "datePublished": "2026-03-25T16:14:48.841Z", "dateUpdated": "2026-03-25T16:14:48.841Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "wpbookit-pro", "product": "WPBookit Pro", "vendor": "iqonicdesign", "versions": [{"lessThanOrEqual": "<= 1.6.18", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.697Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.<p>This issue affects WPBookit Pro: from n/a through <= 1.6.18.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.841Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress WPBookit Pro plugin <= 1.6.18 - Privilege Escalation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Privilege Escalation.This issue affects WPBookit Pro: from n/a through <= 1.6.18."}], "id": "CVE-2026-25414", "lastModified": "2026-03-25T17:16:50.180", "metrics": {}, "published": "2026-03-25T17:16:50.180", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:53:47.951088+00:00", "value": {"mitigation_remediation": ["Update WPBookit Pro to a version later than 1.6.18 if possible, such as 1.6.19 or newer.", "If an update cannot be applied, disable or remove the plugin entirely.", "Review all user roles and permissions to ensure no unintended high-level privileges remain assigned.", "Continuously monitor vendor advisories for additional updates or security notices."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is WPBookit Pro from iqonicdesign. All releases from the initial launch through version 1.6.18 are susceptible. Users running any of these versions should consider the security risk.", "description_and_impact": "The vulnerability stems from an incorrect privilege assignment in the WPBookit Pro plugin, enabling a user to elevate their access level. This flaw permits an attacker to gain higher privileges on the WordPress site, potentially moving from a standard user role to an administrative role. The issue is categorized as a privilege management weakness (CWE\u2011266).", "risk_and_exploitability": "The CVSS score is not disclosed, and EPSS data is unavailable, so the exact severity and likelihood of exploitation cannot be determined. EPSS information is missing, and the vulnerability is not cataloged in CISA\u2019s KEV, indicating no publicly reported exploitation. Based on the description, it is inferred that the attack likely requires authenticated access to a user account, but the documentation does not confirm whether administrative rights are necessary. The lack of a cataloged exploit does not rule out the possibility that the flaw could be leveraged by a malicious actor who can manipulate role assignments."}}}}, "created": "2026-03-25T21:44:32.764613+00:00", "updated": "2026-03-25T21:44:32.764639+00:00", "vendors": []}