Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
AnalysisAI
WPBookit Pro through version 1.6.18 contains an unrestricted file upload vulnerability (CWE-434) that allows attackers to upload malicious files to affected WordPress installations. This arbitrary file upload flaw enables remote code execution and complete site compromise without requiring authentication or special privileges. The vulnerability affects all versions of the iqonicdesign WPBookit Pro plugin up to and including 1.6.18, making it a critical risk for WordPress administrators using this booking plugin.
Technical ContextAI
The vulnerability exists in the WPBookit Pro WordPress plugin (CPE: cpe:2.3:a:iqonicdesign:wpbookit_pro:*:*:*:*:*:*:*:*), which is a booking/appointment scheduling solution for WordPress. The root cause is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating that the plugin's file upload functionality lacks proper validation and filtering of uploaded file types. This allows attackers to bypass file type restrictions and upload executable files (such as PHP files) to the web server. Once uploaded, these malicious files can be executed by the web server, leading to arbitrary code execution within the context of the WordPress application and underlying operating system.
RemediationAI
The primary remediation is to upgrade WPBookit Pro to the patched version immediately (check the plugin vendor website or WordPress plugin repository for the latest version beyond 1.6.18). Until patching is completed, WordPress administrators should disable the WPBookit Pro plugin entirely or restrict access to its upload functionality via web application firewall (WAF) rules or .htaccess restrictions blocking file uploads to plugin directories. Additionally, implement the principle of least privilege by ensuring the web server process runs with minimal permissions, disable PHP execution in upload directories via web server configuration (e.g., Apache or Nginx directives), and enable comprehensive file integrity monitoring and access logging on the WordPress installation. Monitor for suspicious file uploads and unexpected PHP files in the wp-content/plugins/wpbookit-pro/ directory. For detailed patching instructions, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-arbitrary-file-upload-vulnerability.
More in Wpbookit Pro
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15720