CVE-2025-6058

| EUVD-2025-21201 CRITICAL
2025-07-12 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 16, 2026 - 08:56 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:56 euvd
EUVD-2025-21201
Patch Released
Mar 16, 2026 - 08:56 nvd
Patch available
CVE Published
Jul 12, 2025 - 05:15 nvd
CRITICAL 9.8

Tags

WordPress RCE Wpbookit PHP

Description

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Analysis

The WPBookit WordPress plugin (versions ≤1.0.4) contains a critical arbitrary file upload vulnerability in the image_upload_handle() function due to missing file type validation, allowing unauthenticated attackers to upload malicious files and potentially achieve remote code execution. With a CVSS score of 9.8, network-accessible attack vector, and no authentication requirement, this vulnerability poses an immediate and severe threat to any WordPress installation using the affected plugin.

Technical Context

The vulnerability exists in the WPBookit plugin's image_upload_handle() function, which is hooked to the 'add_booking_type' route. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the application fails to properly validate uploaded file extensions, MIME types, or content before storing them on the server filesystem. WordPress plugins typically handle file uploads through AJAX or direct POST requests; in this case, the add_booking_type route processes image uploads without sufficient validation checks. An attacker can exploit this by sending a malicious file (e.g., PHP, JSP, or other executable format) disguised or directly as an image file, which the server will accept and store in a web-accessible directory, enabling subsequent execution.

Affected Products

WPBookit WordPress Plugin: All versions up to and including 1.0.4 are vulnerable. CPE would be approximately 'cpe:2.3:a:wpbookit:wpbookit:*:*:*:*:*:wordpress:*:*' with version constraints ≤1.0.4. The plugin is distributed through the WordPress.org plugin repository. Organizations running any version of WPBookit ≤1.0.4 on WordPress installations are affected, regardless of WordPress version, as the vulnerability is in the plugin code itself.

Remediation

Immediate actions: (1) Update WPBookit plugin to version 1.0.5 or later (vendor should have released a patched version addressing file type validation); (2) If immediate patching is not possible, disable or remove the WPBookit plugin entirely until patched; (3) If the plugin must remain active, implement file upload restrictions via web server configuration (e.g., .htaccess rules preventing PHP execution in upload directories, or nginx location blocks); (4) Audit server logs and file uploads for suspicious files uploaded after plugin installation; (5) Run malware scans on the WordPress installation and uploaded files directory. Check the official WPBookit documentation and WordPress.org plugin page for available security updates and vendor advisories.

Priority Score

71
Low Medium High Critical
KEV: 0
EPSS: +21.7
CVSS: +49
POC: 0

Share

CVE-2025-6058 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy