Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-01-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The WPBookit plugin for WordPress suffers from insufficient file type validation in its profile image upload routine, which permits an unauthenticated attacker to submit any file to the server. This flaw qualifies as a CWE‑434, providing a pathway for arbitrary code execution if a malicious script is uploaded. The official CVSS score of 9.8 indicates a critical level of severity, while the low EPSS score of less than 1 percent suggests that widespread exploitation is currently unlikely but the potential damage is severe.

Affected Systems

Versions of WPBookit up to and including 1.6.9, distributed by Iqonic Design, are affected. The vulnerability exists in the plugin’s handling of image uploads within the WordPress installation where the plugin is active.

Risk and Exploitability

Despite the low prevalence indicated by the EPSS metric, the high impact score makes this a priority concern. The attack vector is inferred to involve unauthenticated HTTP requests to the upload interface; a successful upload could enable remote code execution on the host. As the vulnerability is not listed in CISA’s KEV catalog, no public exploit has been observed, but the lack of mitigation on many sites leaves them open to potential future attacks.

Generated by OpenCVE AI on April 28, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPBookit plugin to the latest available version (1.7 or newer) to remove the upload flaw.
  • If an immediate upgrade is not feasible, block the upload endpoint for unauthenticated users using an access control rule or security plugin configuration.
  • Configure the web server so that files in the WPBookit upload directory cannot be executed (for example, add SetOptions -ExecCGI to the .htaccess in the plugin’s upload directory).

Generated by OpenCVE AI on April 28, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1626 The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Fri, 27 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:* cpe:2.3:a:iqonic:wpbookit:*:*:*:*:pro:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Iqonic
Iqonic wpbookit

Wed, 28 May 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
CPEs cpe:2.3:a:iqonicdesign:wpbookit:*:*:*:*:*:wordpress:*:*
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit

Mon, 27 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 25 Jan 2025 02:00:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WPBookit <= 1.6.9 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonic Wpbookit
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:56.501Z

Reserved: 2025-01-09T07:03:49.584Z

Link: CVE-2025-0357

cve-icon Vulnrichment

Updated: 2025-01-27T15:34:43.167Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-25T02:15:26.990

Modified: 2025-06-27T17:38:07.010

Link: CVE-2025-0357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses