Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10215

CVE-2024-10215: Iqonic Wpbookit Auth Bypass Vulnerability

CVE-2024-10215 is an authentication bypass flaw in Iqonic Wpbookit for WordPress that allows unauthenticated attackers to change user passwords and hijack administrator accounts. This article covers the technical details.

Published:

CVE-2024-10215 Overview

The WPBookit plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability (CWE-639) that allows unauthenticated attackers to change user passwords, including administrator accounts. This vulnerability exists in versions up to and including 1.6.4 due to the plugin providing user-controlled access to objects without proper authorization checks. An attacker can exploit this flaw to bypass authorization mechanisms and gain unauthorized access to system resources, potentially leading to complete site takeover.

Critical Impact

Unauthenticated attackers can change any user's password, including administrator accounts, leading to complete WordPress site compromise without requiring any authentication.

Affected Products

  • WPBookit Pro for WordPress versions up to and including 1.6.4
  • iqonic wpbookit

Discovery Timeline

  • 2025-01-09 - CVE CVE-2024-10215 published to NVD
  • 2025-06-27 - Last updated in NVD database

Technical Details for CVE-2024-10215

Vulnerability Analysis

This vulnerability is classified as an Authorization Bypass through User-Controlled Key (CWE-639), commonly known as Insecure Direct Object Reference (IDOR). The WPBookit plugin fails to properly validate that the user making a password change request is authorized to modify the target account. Instead, the plugin accepts user-supplied identifiers to determine which account's password should be changed, without verifying that the requester has permission to perform this action.

The impact is severe because the vulnerability requires no authentication to exploit. An attacker with network access to a WordPress installation running the vulnerable plugin can manipulate password change requests to target any user account, including administrators. Successful exploitation grants the attacker full access to compromised accounts, enabling complete site takeover when administrator credentials are changed.

Root Cause

The root cause of this vulnerability is the absence of proper authorization checks in the password change functionality. The plugin directly uses user-supplied input to identify which user account should have its password modified, without verifying that the requesting party is either the account owner or has administrative privileges to perform such operations. This represents a fundamental failure in implementing the principle of least privilege and proper access control mechanisms.

Attack Vector

The attack is conducted over the network and requires no authentication, privileges, or user interaction. An attacker identifies a WordPress site running the vulnerable WPBookit plugin and crafts a malicious request to the password change endpoint. By manipulating the user identifier parameter in the request, the attacker can target any user account on the system. The plugin processes the request without validating the requester's authorization, allowing the password to be changed to a value controlled by the attacker.

The attack flow typically involves:

  1. Identifying a target WordPress installation with WPBookit plugin versions 1.6.4 or earlier
  2. Enumerating valid user identifiers (often WordPress user IDs are sequential integers)
  3. Sending crafted password change requests targeting administrator accounts
  4. Using the newly set password to authenticate and gain full administrative access

For detailed technical analysis, refer to the Wordfence Vulnerability Intelligence advisory.

Detection Methods for CVE-2024-10215

Indicators of Compromise

  • Unexpected password reset events for administrator or privileged user accounts
  • Multiple password change requests from external IP addresses targeting different user accounts
  • Anomalous authentication patterns following password changes, particularly from unfamiliar locations
  • User reports of being locked out of accounts without initiating password resets

Detection Strategies

  • Monitor WordPress authentication logs for successful logins following unexpected password change events
  • Implement web application firewall (WAF) rules to detect suspicious patterns in password change requests
  • Review access logs for repeated requests to WPBookit plugin endpoints with varying user identifiers
  • Deploy SentinelOne Singularity to detect post-exploitation activities such as unauthorized plugin installations or file modifications

Monitoring Recommendations

  • Enable comprehensive logging for WordPress user management functions and authentication events
  • Configure alerting for password changes to administrator accounts that did not originate from authenticated sessions
  • Implement rate limiting on password change endpoints to slow enumeration attempts
  • Monitor for signs of site compromise such as new administrator accounts, modified files, or unexpected outbound connections

How to Mitigate CVE-2024-10215

Immediate Actions Required

  • Update WPBookit plugin to the latest version that addresses this vulnerability
  • Audit all WordPress user accounts for unauthorized password changes
  • Force password resets for all administrator and privileged accounts
  • Review WordPress access logs for signs of exploitation attempts
  • Consider temporarily disabling the WPBookit plugin if an update is not immediately available

Patch Information

The vendor has released updates to address this vulnerability. Refer to the IQONIC Documentation Change Log for version information and update instructions. Administrators should upgrade to the latest available version of WPBookit that includes the security fix.

Workarounds

  • Restrict access to the WordPress admin area and plugin endpoints via IP allowlisting at the web server or firewall level
  • Implement a web application firewall (WAF) with rules to validate and filter requests to the WPBookit plugin
  • Disable the WPBookit plugin entirely until the patched version can be deployed
  • Enable two-factor authentication for all administrator accounts to provide an additional layer of protection even if passwords are compromised
bash
# Configuration example - Restrict access via .htaccess
# Add to WordPress root .htaccess or within wp-admin directory

# Block direct access to plugin endpoints from external IPs
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} !^192\.168\.1\. [NC]
    RewriteCond %{REQUEST_URI} wpbookit [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Alternative: Use IP allowlist in Apache configuration
# <Location "/wp-content/plugins/wpbookit/">
#     Require ip 192.168.1.0/24
# </Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne