What is the CVSS score of CVE-2025-6058?

CVE-2025-6058 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 21.7%.

Which versions of Wpbookit are affected by CVE-2025-6058?

WordPress sites using the WPBookit plugin (versions ≤1.0.4) face critical risk of compromise through unauthenticated file uploads that could enable attackers to execute arbitrary code and gain full…. A patch is available.

Is there a public PoC exploit available for CVE-2025-6058?

Yes, a public proof-of-concept exploit is available for CVE-2025-6058. Prioritise patching immediately. EPSS: 21.7%.

How to fix or mitigate CVE-2025-6058?

Within 24 hours: Identify all WordPress instances using WPBookit plugin and document current versions; isolate affected systems from production if patching cannot be completed immediately. Within 7 days: Apply vendor patch to WPBookit 1.0.5 or later on all affected systems; conduct post-patch validation and log review for exploitation attempts. Within 30 days: Perform forensic analysis on affected systems to detect any unauthorized file uploads or code execution; review access logs for the 'add_booking_type' endpoint from the deployment date forward; implement file upload monitoring and restrict executable file types at the application layer.

Wpbookit CVE-2025-6058

EUVD-2025-21201 CRITICAL

Unrestricted Upload of File with Dangerous Type (CWE-434)

2025-07-12 security@wordfence.com

WordPress RCE Wpbookit PHP

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 08:56 euvd

EUVD-2025-21201

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

Patch released

Mar 16, 2026 - 08:56 nvd

Patch available

CVE Published

Jul 12, 2025 - 05:15 nvd

CRITICAL 9.8

DescriptionCVE.org

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

The WPBookit WordPress plugin (versions ≤1.0.4) contains a critical arbitrary file upload vulnerability in the image_upload_handle() function due to missing file type validation, allowing unauthenticated attackers to upload malicious files and potentially achieve remote code execution. With a CVSS score of 9.8, network-accessible attack vector, and no authentication requirement, this vulnerability poses an immediate and severe threat to any WordPress installation using the affected plugin.

Technical ContextAI

The vulnerability exists in the WPBookit plugin's image_upload_handle() function, which is hooked to the 'add_booking_type' route. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the application fails to properly validate uploaded file extensions, MIME types, or content before storing them on the server filesystem. WordPress plugins typically handle file uploads through AJAX or direct POST requests; in this case, the add_booking_type route processes image uploads without sufficient validation checks. An attacker can exploit this by sending a malicious file (e.g., PHP, JSP, or other executable format) disguised or directly as an image file, which the server will accept and store in a web-accessible directory, enabling subsequent execution.

RemediationAI

Immediate actions: (1) Update WPBookit plugin to version 1.0.5 or later (vendor should have released a patched version addressing file type validation); (2) If immediate patching is not possible, disable or remove the WPBookit plugin entirely until patched; (3) If the plugin must remain active, implement file upload restrictions via web server configuration (e.g., .htaccess rules preventing PHP execution in upload directories, or nginx location blocks); (4) Audit server logs and file uploads for suspicious files uploaded after plugin installation; (5) Run malware scans on the WordPress installation and uploaded files directory. Check the official WPBookit documentation and WordPress.org plugin page for available security updates and vendor advisories.

CVE-2025-6058 vulnerability details – vuln.today

Back

Wpbookit CVE-2025-6058

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code