CVE-2024-10215: WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change

9.8 CVSS

Description

The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

Classification

CVE ID: CVE-2024-10215

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Affected Products

Vendor: Iqonic Design

Product: WPBookit

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 40.76% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2d23a2b9-8476-4564-a5de-5e6cfc38ce68?source=cve
https://documentation.iqonic.design/wpbookit/versions/change-log

Timeline

2025-01-10 00:30:11 UTC
CVE

WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change