On May 22, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address.
Sites still using the free version of Wordfence will receive a firewall rule to protect against any exploits targeting this vulnerability on June 21, 2023. WordFence Premium users have been protected since May 23.
WordFence contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible.