CVE-2026-40780: BookIt Authentication Bypass via Password Recovery
Liquid Web's BookIt plugin contains a flaw in its password recovery mechanism that allows attackers to bypass authentication. Rather than attacking the login process directly, an attacker can exploit an alternate recovery path to gain unauthorized access without needing valid credentials. This affects BookIt versions before 2.5.4.1.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-288
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40780 is an authentication bypass vulnerability (CWE-288) in BookIt that stems from improper validation in the password recovery channel. The vulnerability permits unauthenticated attackers to circumvent authentication controls via the recovery mechanism, achieving account takeover or unauthorized access. The CVSS 3.1 score of 7.5 (HIGH) reflects the network-exploitable nature with no user interaction required, though integrity impact is the primary concern rather than confidentiality loss.
Business impact
Successful exploitation enables attackers to compromise user accounts without password knowledge, potentially leading to unauthorized access to booking systems, customer data exposure, or business process disruption. For organizations relying on BookIt for scheduling or reservation management, an attack could result in account takeovers affecting customers or staff, with downstream impacts on operational continuity and customer trust.
Affected systems
BookIt versions prior to 2.5.4.1 are vulnerable. The plugin is distributed by StellarWP/Liquid Web and is commonly used for appointment and booking management. Any WordPress or web-based implementation running an affected version requires immediate attention.
Exploitability
The vulnerability is highly exploitable. It requires no authentication, no special user interaction, and can be triggered remotely over the network. The straightforward nature of the authentication bypass via password recovery makes this an attractive target for opportunistic attackers. No special tools or deep technical knowledge is required to attempt exploitation.
Remediation
Update BookIt to version 2.5.4.1 or later. Verify the installed version in your plugin settings or via administrative tools, and apply the patch immediately given the high exploitability and ease of attack. If immediate patching is not feasible, restrict access to the password recovery endpoint at the firewall or application level as a temporary measure.
Patch guidance
Upgrade BookIt to version 2.5.4.1 or any subsequent release. Consult the official StellarWP/Liquid Web advisory for specific update instructions and any interim workarounds. Test the update in a staging environment first to ensure compatibility with your WordPress installation and any dependent integrations.
Detection guidance
Monitor web logs for unusual password recovery requests, particularly multiple attempts against different user accounts in short timeframes or requests with atypical parameters. Implement logging on the password recovery endpoint to detect brute-force or enumeration patterns. Alert on successful account access immediately following password recovery requests that do not correspond to user-initiated actions.
Why prioritize this
This vulnerability should be prioritized as HIGH due to its ease of exploitation, lack of authentication requirements, and direct path to account compromise. The integrity impact allows attackers to modify bookings, impersonate users, or access sensitive customer data. Organizations using BookIt should treat this as critical until patched.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a high-risk vulnerability: network-exploitable (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), and no user interaction needed (UI:N). While confidentiality is not affected (C:N), the high integrity impact (I:H) from unauthorized account access justifies the HIGH severity rating. The scope is unchanged (S:U), limiting cross-tenant concerns but not reducing the direct threat to affected deployments.
Frequently asked questions
Does patching BookIt require downtime?
Typically, WordPress plugin updates do not require downtime and can be applied through the admin interface. However, best practice is to test the update in a non-production environment first to verify compatibility with your specific setup, custom code, or third-party integrations.
Can I detect if my BookIt instance has been exploited?
Review web server logs and WordPress login logs for unusual password reset requests, unexpected account modifications, or logins from unfamiliar IP addresses. Enable WordPress security logging plugins if available. Check for recently changed booking records or customer account details that you did not authorize.
What if I cannot patch immediately?
As a temporary measure, disable or restrict access to the password recovery page using web server configuration (htaccess or nginx rules) or a Web Application Firewall. Implement rate limiting on the recovery endpoint. Monitor closely for exploitation attempts. However, this is not a substitute for patching and should be treated as a short-term holding action only.
Is this vulnerability currently being exploited in the wild?
As of the published date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. However, given its high exploitability and ease of weaponization, the absence of KEV status does not guarantee no active exploitation—monitor threat intelligence sources and your own logs closely.
This analysis is provided for informational and educational purposes. The information reflects publicly available data as of the publication date. Exploitation of vulnerabilities without authorization is illegal. Organizations should verify all technical details against official vendor advisories, conduct their own risk assessments, and implement patches in accordance with their change management policies. SEC.co makes no warranties regarding the completeness or accuracy of this analysis and assumes no liability for damages resulting from its use or reliance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-42654HIGHWP Swings Wallet System Authentication Bypass Allows Account Takeover
- CVE-2026-36175MEDIUMGNCC GP5 Physical Authentication Bypass via U-Boot Boot Arguments
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction