Skip to main content
CVE Vulnerability Database

CVE-2025-6057: Iqonic Wpbookit RCE Vulnerability

CVE-2025-6057 is a remote code execution flaw in Iqonic Wpbookit allowing authenticated attackers to upload malicious files. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-6057 Overview

CVE-2025-6057 is an arbitrary file upload vulnerability affecting the WPBookit plugin for WordPress. The flaw resides in the handle_image_upload() function, which fails to validate file types before accepting uploads. Authenticated attackers with Subscriber-level access or higher can upload arbitrary files to the affected site's server. Successful exploitation may lead to remote code execution on the underlying web server.

The vulnerability affects all versions of WPBookit up to and including 1.0.4. It is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type.

Critical Impact

Authenticated users with minimal privileges can upload malicious PHP files and achieve remote code execution on vulnerable WordPress installations.

Affected Products

  • Iqonic WPBookit plugin for WordPress, all versions through 1.0.4
  • WordPress sites running the WPBookit free distribution
  • WordPress installations allowing Subscriber-level registration with the plugin enabled

Discovery Timeline

  • 2025-07-12 - CVE-2025-6057 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6057

Vulnerability Analysis

The vulnerability stems from missing file type validation in the handle_image_upload() function within class.wpb-profile-controller.php. This function processes image uploads tied to user profile functionality but does not enforce restrictions on file extensions, MIME types, or content signatures. Attackers can submit files containing PHP code with executable extensions through the upload handler.

Once uploaded, these files are stored within the WordPress uploads directory and may be directly requested over HTTP. Execution of attacker-controlled PHP within the web server context grants the attacker full code execution privileges of the PHP process. This typically results in complete compromise of the WordPress site, including database access and lateral movement opportunities.

The EPSS score for this vulnerability is 0.642% as of June 2026.

Root Cause

The root cause is the absence of allowlist-based file type validation in the upload handler. The handle_image_upload() function accepts user-supplied files without verifying extension, MIME content type, or magic bytes. WordPress provides built-in validation functions such as wp_check_filetype_and_ext(), but the plugin code does not invoke them before persisting uploaded files.

Attack Vector

The attack requires network access and authenticated session credentials at the Subscriber role or above. Because many WordPress sites allow open user registration, the authentication barrier is often trivial to satisfy. An attacker registers an account, authenticates, then submits a crafted multipart upload request to the vulnerable endpoint. The malicious file is written to a web-accessible directory and invoked via direct URL request to trigger code execution.

No verified public exploit code is available. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Code Reference for technical details.

Detection Methods for CVE-2025-6057

Indicators of Compromise

  • Unexpected .php, .phtml, or .phar files within wp-content/uploads/ directories tied to the WPBookit plugin
  • Newly registered low-privilege user accounts followed shortly by POST requests to profile upload endpoints
  • HTTP GET requests directly fetching files in the uploads directory with PHP extensions
  • Outbound network connections from the web server process to attacker-controlled infrastructure

Detection Strategies

  • Monitor WordPress access logs for POST requests to WPBookit profile controller endpoints originating from Subscriber accounts
  • Implement file integrity monitoring across wp-content/uploads/ to detect new executable file types
  • Inspect PHP-FPM and web server logs for execution of files within upload directories
  • Correlate user registration events with subsequent upload activity to identify suspicious patterns

Monitoring Recommendations

  • Enable detailed logging on WordPress REST API and admin-ajax endpoints used by WPBookit
  • Deploy a web application firewall ruleset that flags executable file extensions in multipart upload bodies
  • Track outbound DNS and HTTP requests from the web server to detect post-exploitation callbacks
  • Audit WordPress user role assignments and registration logs on a recurring basis

How to Mitigate CVE-2025-6057

Immediate Actions Required

  • Update the WPBookit plugin to a version later than 1.0.4 as soon as the vendor publishes a fixed release
  • Disable the WPBookit plugin if a patched version is not yet available
  • Disable open user registration or restrict default roles to remove the Subscriber attack prerequisite
  • Audit the wp-content/uploads/ directory for unauthorized files and remove any executable content

Patch Information

Review the WordPress Plugin Change Log for the latest commit history and patched release information. Administrators should verify the installed plugin version against the changeset before considering the system remediated.

Workarounds

  • Configure the web server to deny PHP execution within wp-content/uploads/ using directory-level rules
  • Apply WAF rules blocking multipart uploads containing PHP magic bytes or scripting extensions
  • Restrict access to the WPBookit upload endpoints by IP allowlist where feasible
  • Force re-authentication and rotate credentials for all Subscriber-level accounts pending remediation
bash
# Example Apache configuration to prevent PHP execution in uploads directory
<Directory "/var/www/html/wp-content/uploads">
    <FilesMatch "\.(php|phtml|phar|php[0-9]?)$">
        Require all denied
    </FilesMatch>
</Directory>

# Example Nginx equivalent
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.