Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The WPBookit plugin, a WordPress booking tool, contains a flaw in its handle_image_upload() function that fails to validate uploaded file types. The missing validation allows an authenticated user with Subscriber-level access or higher to upload any file to the server. This flaw can enable attackers to place malicious code on the site, potentially leading to remote code execution or other destructive consequences.

Affected Systems

All installations of WPBookit version 1.0.4 or earlier are affected. The plugin is distributed by iqonicdesign:WPBookit, and the cpe shows it is a free WordPress plugin. The vulnerability applies to any WordPress site that has the plugin installed and has users with Subscriber or higher permissions.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity, while the EPSS score is less than 1%, implying a low likelihood of current exploitation. It is not listed in the CISA KEV catalog, which suggests no known widespread exploitation yet. Attackers would need authenticated subscriber credentials, which are often short‑lived or shared, and the ability to navigate to the plugin’s upload endpoint. Once the upload path is exploited, the attacker can place a script that the server may execute, turning the site into a potential drop point for further attacks.

Generated by OpenCVE AI on April 21, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit to the latest release that includes the file‑type validation fix.
  • If an update is not available, disable the plugin or remove upload capabilities for Subscribers and lower roles.
  • Configure a web application firewall rule or use a plugin to block non‑image MIME types on uploads and reject all other file types.

Generated by OpenCVE AI on April 21, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21200 The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Wed, 16 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonic
Iqonic wpbookit

Mon, 14 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00219}

Sat, 12 Jul 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WPBookit <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonic Wpbookit
Iqonicdesign Wpbookit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:26.107Z

Reserved: 2025-06-13T12:51:46.346Z

Link: CVE-2025-6057

cve-icon Vulnrichment

Updated: 2025-07-14T15:51:16.269Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-12T05:15:21.223

Modified: 2025-07-16T14:57:56.460

Link: CVE-2025-6057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses