CVE-2026-40780
Description
BookIt plugin versions prior to 2.5.4.1 are vulnerable to an authentication bypass, potentially allowing attackers to gain admin access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BookIt plugin versions prior to 2.5.4.1 are vulnerable to an authentication bypass, potentially allowing attackers to gain admin access.
Vulnerability
An Authentication Bypass Using an Alternate Path or Channel vulnerability exists in Liquid Web / StellarWP BookIt plugin. This issue affects BookIt versions prior to 2.5.4.1 [1].
Exploitation
This vulnerability can be abused by a malicious actor to perform actions normally restricted to higher privileged users. The exact steps for exploitation are not detailed in the available references, but it is described as a password recovery exploitation [1].
Impact
Successful exploitation of this vulnerability could allow a malicious actor to gain administrative access to the website. The available references suggest this could lead to unauthorized actions typically reserved for administrators [1].
Mitigation
Update to BookIt version 2.5.4.1 or later to resolve this vulnerability. If updating is not immediately possible, seek assistance from your hosting provider or web developer [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <2.5.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.