Unrated severityNVD Advisory· Published Jul 12, 2025· Updated Apr 8, 2026

WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload

CVE-2025-6058

Description

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected products

WordPress/Wpbookitllm-fuzzy
Range: <=1.0.4
Package: https://wordpress.org/plugins/wpbookit
Iqonicdesign/Wpbookitv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-booking-type-controller.phpmitre
plugins.trac.wordpress.org/changesetmitre
www.wordfence.com/threat-intel/vulnerabilities/id/1d779ad1-fdbe-444c-85c5-99146a1a03d8mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.021
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000