Login Sign Up

CVE-2024-10215

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The WPBookit WordPress plugin vulnerability allows unauthenticated attackers to change any user's password, including administrators, by bypassing authorization checks. This affects all WordPress sites using WPBookit versions 1.6.4 and earlier. Attackers can take over accounts and gain administrative access to vulnerable websites.

💻 Affected Systems

Products:
  • WPBookit WordPress Plugin
Versions: Up to and including version 1.6.4
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable WPBookit plugin versions enabled.

📦 What is this software?

Wpbookit by Iqonic

View all CVEs affecting Wpbookit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrator access, install backdoors, steal data, deface the site, or use it for further attacks.

🟠

Likely Case

Administrator account compromise leading to site defacement, malware injection, or data theft.

🟢

If Mitigated

Limited impact if strong monitoring detects unusual password change activity and administrators can quickly regain control.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability requires no authentication.
🏢 Internal Only: LOW - This primarily affects public-facing WordPress installations.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details are available, and the attack requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.6.5 or later

Vendor Advisory: https://documentation.iqonic.design/wpbookit/versions/change-log

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBookit and update to version 1.6.5 or later. 4. If auto-update is available, enable it.

🔧 Temporary Workarounds

Disable WPBookit Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate wpbookit

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized password change requests
  • Enable strong monitoring for unusual password reset activities and administrator account changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WPBookit version 1.6.4 or earlier.

Check Version:

wp plugin get wpbookit --field=version

Verify Fix Applied:

Confirm WPBookit plugin version is 1.6.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual password change requests, especially for administrator accounts from unauthenticated users
  • Multiple failed login attempts followed by successful password reset

Network Indicators:

  • HTTP POST requests to WPBookit endpoints with password change parameters from unauthenticated sources

SIEM Query:

source="wordpress.log" AND ("password_change" OR "wpbookit") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-10215
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-639
EPSS Score: 1.43% exploit probability (80.3th percentile)
Published: January 9, 2025
Last Updated: June 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10215, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)