How is CVE-2026-40780 exploited?

Network reachability (required): The vulnerable password recovery endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the target WordPress instance. Authentication (not-required): No account or credential of any kind is needed; the vulnerability exists in the unauthenticated password recovery flow. Victim interaction (not-required): The attacker exploits the endpoint directly and does not need any user to click a link or take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment.

What is the impact of CVE-2026-40780?

The attacker can reset the password of any user account whose recovery flow is reachable, including administrator accounts, effectively taking full control of those accounts. With account control, the attacker can modify site content, install or alter WordPress plugins and themes, and change user roles or permissions. Sensitive data accessible to the compromised account, such as customer booking records and contact details stored in BookIt, becomes readable and exportable by the attacker.

Back to search

HIGHCVE-2026-40780Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-40780: WordPress BookIt plugin < 2.5.4.1 - Broken Authentication vulnerability

Q: What is CVE-2026-40780?

Authentication bypass in the WordPress BookIt plugin (versions before 2.5.4.1) allows an unauthenticated attacker to exploit the password recovery flow over the network, bypassing normal credential checks entirely. No login or user interaction is required; the attacker reaches the vulnerable endpoint directly via HTTP. Successful exploitation gives the attacker the ability to take over user accounts by resetting passwords without authorization. A patched-image rebuild at version 2.5.4.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-40780 fixed?

A patched-image rebuild at BookIt version 2.5.4.1 becomes available on HarborGuard as soon as the fix is confirmed in the upstream package feed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 2.5.4.1
Affected Products: 1

HarborGuard Analysis

Synopsis

Authentication bypass in the WordPress BookIt plugin (versions before 2.5.4.1) allows an unauthenticated attacker to exploit the password recovery flow over the network, bypassing normal credential checks entirely. No login or user interaction is required; the attacker reaches the vulnerable endpoint directly via HTTP. Successful exploitation gives the attacker the ability to take over user accounts by resetting passwords without authorization. A patched-image rebuild at version 2.5.4.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-40780 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the BookIt plugin. Any image layer containing a BookIt version below 2.5.4.1 is flagged automatically.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.5 (HIGH), and HarborGuard weights that score against each customer organization's compliance policy to determine urgency and route the finding to the appropriate team inbox. Per-environment policy rules can escalate or suppress the alert based on workload criticality or regulatory context.

Available

Patch

A patched-image rebuild at BookIt version 2.5.4.1 becomes available on HarborGuard as soon as the fix is confirmed in the upstream package feed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable password recovery endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the target WordPress instance.
AuthenticationNot required
No account or credential of any kind is needed; the vulnerability exists in the unauthenticated password recovery flow.
Victim interactionNot required
The attacker exploits the endpoint directly and does not need any user to click a link or take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment.

Blast Radius

The attacker can reset the password of any user account whose recovery flow is reachable, including administrator accounts, effectively taking full control of those accounts.
With account control, the attacker can modify site content, install or alter WordPress plugins and themes, and change user roles or permissions.
Sensitive data accessible to the compromised account, such as customer booking records and contact details stored in BookIt, becomes readable and exportable by the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40780 is active across all scanning pipelines, matching any image that packages BookIt below version 2.5.4.1. For customers with auto-remediation enabled, HarborGuard triggers a rebuild at the patched version (2.5.4.1), runs regression tests against the rebuilt image, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and routed to the designated reviewer inbox so no manual rebuild step is needed. Customers who cannot immediately apply the patch are advised to consider network-policy controls that restrict public access to the WordPress password recovery endpoint as a compensating control until the update is applied.

See how HarborGuard automates this

Fix available

2.5.4.1

Affected packages

Liquid Web / StellarWP / BookIt
< 2.5.4.1 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available