The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

Sectigo Blog


Leading provider of SSL/TLS certificates, automated certificate management and website security solutions. Trusted by the world’s largest brands for 20+ years.

Listed: