Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-07-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads because the image_upload_handle() function does not validate file type, MIME type or sanitise the filename before calling move_uploaded_file(). This allows an unauthenticated attacker to upload any file, including executable code, to the web server. The uploaded file could be accessed and executed, potentially giving the attacker full control over the site.

Affected Systems

Any WordPress site that has the WPBookit plugin version 1.0.6 or earlier installed. The vulnerability exists in all releases up to and including 1.0.6 and affects sites that expose the add_new_customer route for the image upload handler.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% shows the probability of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. However, the attack can be performed without authentication and is purely remote, so once a suitable payload is crafted an attacker could achieve remote code execution. Administrators should treat this as a high‑priority risk because of the potential impact.

Generated by OpenCVE AI on April 22, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Monitor the plugin repository and apply any released fix as soon as it becomes available.
  • If no fix is available, temporarily disable the WPBookit plugin to stop further arbitrary uploads.
  • Configure the web server or add a .htaccess rule to prevent execution of files in the upload directory (e.g., set the directory to non‑executable or disable PHP execution).

Generated by OpenCVE AI on April 22, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22478 The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Thu, 24 Jul 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit
Wordpress
Wordpress wordpress

Thu, 24 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title WPBookit <= 1.0.6 - Unauthenticated Arbitrary File Upload via image_upload_handle Function
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonicdesign Wpbookit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:54.943Z

Reserved: 2025-07-18T22:04:48.835Z

Link: CVE-2025-7852

cve-icon Vulnrichment

Updated: 2025-07-24T13:14:49.183Z

cve-icon NVD

Status : Deferred

Published: 2025-07-24T07:15:55.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses