Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-12
Score: 9.8 Critical
EPSS: 21.7% Moderate
KEV: No
Impact: Arbitrary File Upload enabling Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WPBookit WordPress plugin contains a flaw in the image_upload_handle() function where file type validation is omitted. This design flaw allows unauthenticated attackers to upload any file to the server, which can be exploited for remote code execution. The vulnerability is classified as CWE-434, highlighting the absence of input validation for file uploads.

Affected Systems

The vulnerability affects the WPBookit plugin from IQONIC Design on WordPress sites running any version up to and including 1.0.4. These installations are free‑licensed and available through the WordPress plugin repository.

Risk and Exploitability

With a CVSS score of 9.8 and an EPSS of 22%, the risk of exploitation is substantial, yet the vulnerability is currently not listed in the CISA KEV catalog. The likely attack path involves sending a crafted HTTP request to the add_booking_type route, which the plugin processes without requiring authentication, allowing an attacker to upload malicious files that may be executed on the server.

Generated by OpenCVE AI on April 22, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit to a version newer than 1.0.4 where the file upload validation has been implemented.
  • If an upgrade cannot be applied immediately, block the add_booking_type upload endpoint for unauthenticated users using a firewall rule, security plugin, or server configuration.
  • Configure the web server to deny execution of files in the upload directory and whitelist accepted MIME types to prevent malicious code execution.

Generated by OpenCVE AI on April 22, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 16 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic wpbookit
CPEs cpe:2.3:a:iqonic:wpbookit:*:*:*:*:free:wordpress:*:*
Vendors & Products Iqonic
Iqonic wpbookit

Mon, 14 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00128}

 epss

{'score': 0.00055}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00128}

Sat, 12 Jul 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonic Wpbookit
Iqonicdesign Wpbookit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:36.449Z

Reserved: 2025-06-13T12:58:43.616Z

Link: CVE-2025-6058

cve-icon Vulnrichment

Updated: 2025-07-14T16:01:09.396Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-12T05:15:22.387

Modified: 2025-07-16T14:57:37.827

Link: CVE-2025-6058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses