Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for WPBookit by Iqonic Design

    CVE-2025-32254 (GCVE-0-2025-32254)

    Vulnerability from nvd – Published: 2025-04-04 15:59 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress WPBookit plugin <= 1.0.7 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through <= 1.0.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.0.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:38
    Credits
    Pham Van Tam | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-04T18:56:24.599582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-04T18:56:37.386Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pham Van Tam | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:38:41.368Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through \u003c= 1.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:19.925Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.0.7 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-32254",
        "datePublished": "2025-04-04T15:59:28.387Z",
        "dateReserved": "2025-04-04T10:02:14.481Z",
        "dateUpdated": "2026-04-28T16:12:19.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26910 (GCVE-0-2025-26910)

    Vulnerability from nvd – Published: 2025-03-10 14:34 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress WPBookit plugin <= 1.0.1 - Cross Site Request Forgery (CSRF) Vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.0.1 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Khang Duong | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26910",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T16:56:39.691559Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-11T16:06:37.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Khang Duong | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:22.428Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through \u003c= 1.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:43.886Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.0.1 - Cross Site Request Forgery (CSRF) Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-26910",
        "datePublished": "2025-03-10T14:34:39.538Z",
        "dateReserved": "2025-02-17T11:50:52.141Z",
        "dateUpdated": "2026-04-28T16:11:43.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0357 (GCVE-0-2025-0357)

    Vulnerability from nvd – Published: 2025-01-25 01:44 – Updated: 2026-04-08 16:37
    VLAI
    Title
    WPBookit <= 1.6.9 - Unauthenticated Arbitrary File Upload
    Summary
    The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.9 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0357",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T15:34:50.995025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T15:34:55.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the \u0027WPB_Profile_controller::handle_image_upload\u0027 function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:56.501Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19bf7a68-e76d-4740-9f35-b6084094f59b?source=cve"
            },
            {
              "url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-01-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPBookit \u003c= 1.6.9 - Unauthenticated Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0357",
        "datePublished": "2025-01-25T01:44:36.912Z",
        "dateReserved": "2025-01-09T07:03:49.584Z",
        "dateUpdated": "2026-04-08T16:37:56.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10215 (GCVE-0-2024-10215)

    Vulnerability from nvd – Published: 2025-01-09 19:21 – Updated: 2026-04-08 16:44
    VLAI
    Title
    WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change
    Summary
    The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.4 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10215",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:07:06.769401Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:07:20.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:05.685Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d23a2b9-8476-4564-a5de-5e6cfc38ce68?source=cve"
            },
            {
              "url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-21T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-10-21T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPBookit \u003c= 1.6.4 - Unauthenticated Arbitrary User Password Change"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10215",
        "datePublished": "2025-01-09T19:21:56.597Z",
        "dateReserved": "2024-10-21T15:57:05.564Z",
        "dateUpdated": "2026-04-08T16:44:05.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-54280 (GCVE-0-2024-54280)

    Vulnerability from nvd – Published: 2024-12-16 15:43 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress WPBookit plugin <= 1.6.0 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.This issue affects WPBookit: from n/a through <= 1.6.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.0 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:30
    Credits
    Aiden | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-54280",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-16T16:20:28.612963Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-16T16:20:47.081Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aiden | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:30:25.377Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.6.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.This issue affects WPBookit: from n/a through \u003c= 1.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:49.217Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-6-0-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.6.0 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-54280",
        "datePublished": "2024-12-16T15:43:32.601Z",
        "dateReserved": "2024-12-02T12:04:14.142Z",
        "dateUpdated": "2026-04-28T16:10:49.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-32254 (GCVE-0-2025-32254)

    Vulnerability from cvelistv5 – Published: 2025-04-04 15:59 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress WPBookit plugin <= 1.0.7 - Broken Access Control vulnerability
    Summary
    Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through <= 1.0.7.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.0.7 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:38
    Credits
    Pham Van Tam | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-32254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-04T18:56:24.599582Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-04T18:56:37.386Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.8",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pham Van Tam | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:38:41.368Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.0.7.\u003c/p\u003e"
                }
              ],
              "value": "Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPBookit: from n/a through \u003c= 1.0.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:19.925Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.0.7 - Broken Access Control vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-32254",
        "datePublished": "2025-04-04T15:59:28.387Z",
        "dateReserved": "2025-04-04T10:02:14.481Z",
        "dateUpdated": "2026-04-28T16:12:19.925Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-26910 (GCVE-0-2025-26910)

    Vulnerability from cvelistv5 – Published: 2025-03-10 14:34 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress WPBookit plugin <= 1.0.1 - Cross Site Request Forgery (CSRF) Vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through <= 1.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.0.1 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Khang Duong | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-26910",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-10T16:56:39.691559Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-11T16:06:37.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.0.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Khang Duong | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:22.428Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects WPBookit: from n/a through \u003c= 1.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:43.886Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.0.1 - Cross Site Request Forgery (CSRF) Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-26910",
        "datePublished": "2025-03-10T14:34:39.538Z",
        "dateReserved": "2025-02-17T11:50:52.141Z",
        "dateUpdated": "2026-04-28T16:11:43.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0357 (GCVE-0-2025-0357)

    Vulnerability from cvelistv5 – Published: 2025-01-25 01:44 – Updated: 2026-04-08 16:37
    VLAI
    Title
    WPBookit <= 1.6.9 - Unauthenticated Arbitrary File Upload
    Summary
    The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.9 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0357",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-27T15:34:50.995025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-27T15:34:55.093Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the \u0027WPB_Profile_controller::handle_image_upload\u0027 function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:37:56.501Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19bf7a68-e76d-4740-9f35-b6084094f59b?source=cve"
            },
            {
              "url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-01-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPBookit \u003c= 1.6.9 - Unauthenticated Arbitrary File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0357",
        "datePublished": "2025-01-25T01:44:36.912Z",
        "dateReserved": "2025-01-09T07:03:49.584Z",
        "dateUpdated": "2026-04-08T16:37:56.501Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10215 (GCVE-0-2024-10215)

    Vulnerability from cvelistv5 – Published: 2025-01-09 19:21 – Updated: 2026-04-08 16:44
    VLAI
    Title
    WPBookit <= 1.6.4 - Unauthenticated Arbitrary User Password Change
    Summary
    The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.4 (semver)
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10215",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T20:07:06.769401Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T20:07:20.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:44:05.685Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d23a2b9-8476-4564-a5de-5e6cfc38ce68?source=cve"
            },
            {
              "url": "https://documentation.iqonic.design/wpbookit/versions/change-log"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-21T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-10-21T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-01-09T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPBookit \u003c= 1.6.4 - Unauthenticated Arbitrary User Password Change"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10215",
        "datePublished": "2025-01-09T19:21:56.597Z",
        "dateReserved": "2024-10-21T15:57:05.564Z",
        "dateUpdated": "2026-04-08T16:44:05.685Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-54280 (GCVE-0-2024-54280)

    Vulnerability from cvelistv5 – Published: 2024-12-16 15:43 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress WPBookit plugin <= 1.6.0 - SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.This issue affects WPBookit: from n/a through <= 1.6.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Iqonic Design WPBookit Affected: 0 , ≤ 1.6.0 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:30
    Credits
    Aiden | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-54280",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-16T16:20:28.612963Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-16T16:20:47.081Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpbookit",
              "product": "WPBookit",
              "vendor": "Iqonic Design",
              "versions": [
                {
                  "lessThanOrEqual": "1.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aiden | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:30:25.377Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.\u003cp\u003eThis issue affects WPBookit: from n/a through \u003c= 1.6.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Iqonic Design WPBookit wpbookit allows SQL Injection.This issue affects WPBookit: from n/a through \u003c= 1.6.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:10:49.217Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-6-0-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress WPBookit plugin \u003c= 1.6.0 - SQL Injection vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2024-54280",
        "datePublished": "2024-12-16T15:43:32.601Z",
        "dateReserved": "2024-12-02T12:04:14.142Z",
        "dateUpdated": "2026-04-28T16:10:49.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }