Description
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unrestricted file upload vulnerability exists in the WPBookit Pro plugin up to version 1.6.18. The plugin fails to validate the MIME type of uploaded files, enabling an attacker to upload a file of a dangerous type such as a PHP script. If the uploaded script is executed, it can lead to remote code execution and compromise the entire WordPress site.

Affected Systems

The flaw is present in the WPBookit Pro plugin developed by IQonic Design. It affects all installations of the plugin from the initial release through version 1.6.18. Site administrators should verify whether they are running a vulnerable version and consider upgrading.

Risk and Exploitability

The vulnerability has a CVSS score of 9.9, indicating a high severity impact due to potential remote code execution. The EPSS score is less than 1 %, suggesting that widespread exploitation is unlikely, and the issue is not listed in the CISA KEV catalog. The likely attack vector involves the web interface of the plugin, where any authenticated user with upload privileges could introduce a malicious file. Successful execution of such a file would grant an attacker full control over the web server.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WPBookit Pro to the latest available version (1.6.19 or newer).
  • If an immediate upgrade is not possible, disable the plugin or enforce a strict whitelist of allowed file types in the plugin settings.
  • Delete any files that may have been uploaded during the vulnerable period, especially scripts.
  • After applying the patch, scan the site for unauthorized PHP files or other indicators of compromise.
  • Configure the server (e.g., through .htaccess or web‑server rules) to block execution of uploaded files to provide an additional layer of protection.

Generated by OpenCVE AI on March 27, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign wpbookit Pro
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign wpbookit Pro
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
Title WordPress WPBookit Pro plugin <= 1.6.18 - Arbitrary File Upload vulnerability
Weaknesses CWE-434
References

Subscriptions

Iqonicdesign Wpbookit Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-27T13:50:07.937Z

Reserved: 2026-02-02T12:53:19.002Z

Link: CVE-2026-25413

cve-icon Vulnrichment

Updated: 2026-03-27T13:33:51.611Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:50.040

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:20Z

Weaknesses