How to fix CVE-2025-6057?

Within 24 hours: Identify all WordPress instances running WPBookit plugin and document current versions. Within 7 days: Update WPBookit to version 1.0.5 or later on all affected sites and verify successful deployment. Within 30 days: Conduct security audit of file upload directories, review access logs for suspicious uploads, and reset credentials for any accounts with Subscriber access or above as precautionary measure.

Is Wpbookit affected by CVE-2025-6057?

The WPBookit WordPress plugin contains a critical file upload vulnerability that allows any authenticated user (including low-privilege accounts) to upload and execute malicious code on your website.

CVE-2025-6057

EUVD-2025-21200 HIGH

2025-07-12 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 08:56 euvd

EUVD-2025-21200

Patch Released

Mar 16, 2026 - 08:56 nvd

Patch available

CVE Published

Jul 12, 2025 - 05:15 nvd

HIGH 8.8

Description

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

WPBookit WordPress plugin versions up to 1.0.4 contain an arbitrary file upload vulnerability in the handle_image_upload() function due to missing file type validation, allowing authenticated attackers with Subscriber-level privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a plugin likely used by booking/appointment management websites, with low attack complexity and no user interaction required once authenticated.

Technical Context

The vulnerability exists in the WPBookit plugin's image upload handler, which fails to properly validate file types before storage. This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability. The root cause is insufficient input validation in the handle_image_upload() function, which likely accepts file uploads without checking MIME types, file extensions, or content signatures. WordPress plugins with subscriber-level access can typically interact with upload directories. An attacker can bypass client-side or weak server-side validation to upload PHP, JSP, or other executable files. The affected component processes HTTP POST requests for image uploads without adequate security controls. CPE would be: cpe:2.3:a:wpbookit:wpbookit:*:*:*:*:*:wordpress:*:* (versions <= 1.0.4).

Affected Products

WPBookit WordPress Plugin (1.0.4 and all versions prior)

Remediation

Immediate Patch: Update WPBookit plugin to version 1.0.5 or later (when released) Workaround (if patch unavailable): Restrict file upload functionality and validate uploads Detection & Response: Identify compromised sites and clean malicious uploads

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.7

CVSS: +44

POC: 0

CVE-2025-6057 vulnerability details – vuln.today

Back

CVE-2025-6057

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-6057

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code