How is CVE-2026-25439 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable authentication endpoint is exposed via standard HTTP/HTTPS. Authentication (not-required): No credentials of any kind are needed; the vulnerability exists in the pre-authentication layer and can be triggered by an anonymous request. Victim interaction (not-required): The attacker does not need to trick or wait for any user to take action; exploitation is entirely server-side. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not unconditional and likely depends on specific environmental factors such as account state, timing, or configuration that the attacker must identify or satisfy before the bypass succeeds.

What is the impact of CVE-2026-25439?

A successful attacker takes over the targeted account, gaining the same access level as that account within WordPress and Booknetic, including stored booking records, customer personal data, and payment details. If the compromised account holds administrative privileges, the attacker can modify or delete all booking data, alter plugin configuration, and potentially install malicious WordPress plugins. All data stored in the Booknetic appointment system, including names, contact information, and scheduling history, becomes readable by the attacker. The attacker can corrupt or destroy Booknetic booking records, disrupting availability of the appointment scheduling service for end users.

Back to search

HIGHCVE-2026-25439Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-25439: WordPress Booknetic plugin <= 4.8.5 - Account Takeover vulnerability

Q: What is CVE-2026-25439?

A broken authentication vulnerability in the Booknetic WordPress plugin (versions 4.8.5 and earlier) allows an unauthenticated remote attacker to bypass login controls entirely. The flaw is reachable over the network and requires no credentials or user interaction, though exploitation depends on specific environmental conditions. Successful exploitation gives the attacker full control over targeted accounts, enabling them to read, modify, or destroy data associated with those accounts. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-25439 patched?

No fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a remediated release. In the meantime, customers can apply compensating controls such as network-policy restrictions on the WordPress admin surface or web-application firewall rules targeting the affected authentication endpoints.

Unauthenticated Broken Authentication in Booknetic <= 4.8.5 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A broken authentication vulnerability in the Booknetic WordPress plugin (versions 4.8.5 and earlier) allows an unauthenticated remote attacker to bypass login controls entirely. The flaw is reachable over the network and requires no credentials or user interaction, though exploitation depends on specific environmental conditions. Successful exploitation gives the attacker full control over targeted accounts, enabling them to read, modify, or destroy data associated with those accounts. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-25439 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Booknetic plugin. Any image containing an affected version of fs-code/Booknetic at or below 4.8.5 is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency and escalation thresholds. Triage results are routed to the appropriate team inbox within each customer organization based on those policy settings.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a remediated release. In the meantime, customers can apply compensating controls such as network-policy restrictions on the WordPress admin surface or web-application firewall rules targeting the affected authentication endpoints.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable authentication endpoint is exposed via standard HTTP/HTTPS.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability exists in the pre-authentication layer and can be triggered by an anonymous request.
Victim interactionNot required
The attacker does not need to trick or wait for any user to take action; exploitation is entirely server-side.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not unconditional and likely depends on specific environmental factors such as account state, timing, or configuration that the attacker must identify or satisfy before the bypass succeeds.

Blast Radius

A successful attacker takes over the targeted account, gaining the same access level as that account within WordPress and Booknetic, including stored booking records, customer personal data, and payment details.
If the compromised account holds administrative privileges, the attacker can modify or delete all booking data, alter plugin configuration, and potentially install malicious WordPress plugins.
All data stored in the Booknetic appointment system, including names, contact information, and scheduling history, becomes readable by the attacker.
The attacker can corrupt or destroy Booknetic booking records, disrupting availability of the appointment scheduling service for end users.

How HarborGuard Handles This

Available on HarborGuard: detection for this vulnerability is active and matched against customer images on every scan cycle. Because no upstream fix exists yet, patched-image rebuilds are not currently available; HarborGuard monitors the Patchstack advisory and the fs-code/Booknetic release channel on each ingest cycle and will trigger a rebuild automatically once a remediated version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While no patch is available, compensating controls worth considering include restricting public network access to the WordPress login and REST authentication endpoints via network policy or a web-application firewall, and auditing existing Booknetic accounts for signs of unauthorized access. Customers can configure HarborGuard compliance policies to escalate this CVE to a priority queue given its HIGH severity and zero-credential exposure profile.

See how HarborGuard automates this

Affected packages

fs-code / Booknetic
≤ 4.8.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified