CVE-2025-6058 Overview
The WPBookit plugin for WordPress contains a critical arbitrary file upload vulnerability in the image_upload_handle() function. This function, accessible via the add_booking_type route, lacks proper file type validation, allowing unauthenticated attackers to upload malicious files to the affected server. Successful exploitation can lead to remote code execution, complete server compromise, and full takeover of the WordPress installation.
Critical Impact
Unauthenticated remote attackers can upload arbitrary files including PHP web shells, potentially achieving complete server compromise and remote code execution without any authentication.
Affected Products
- Iqonic WPBookit plugin for WordPress versions up to and including 1.0.4
- WordPress sites running vulnerable WPBookit Free edition
- All WordPress installations with WPBookit plugin prior to the security patch
Discovery Timeline
- 2025-07-12 - CVE-2025-6058 published to NVD
- 2025-07-16 - Last updated in NVD database
Technical Details for CVE-2025-6058
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The core issue resides in the image_upload_handle() function within the class.wpb-booking-type-controller.php file. When processing image uploads through the add_booking_type API route, the function fails to validate the file type, extension, or content of uploaded files.
The vulnerability is particularly severe because the affected endpoint does not require authentication, meaning any remote attacker can target vulnerable WordPress installations directly over the network. No user interaction is required to exploit this flaw, and the attacker needs no prior privileges or credentials on the target system.
Root Cause
The root cause is the complete absence of file type validation in the upload handling logic. The image_upload_handle() function at line 455 of class.wpb-booking-type-controller.php accepts file uploads without checking:
- File extension (allowing .php, .phtml, and other executable extensions)
- MIME type verification
- File content magic bytes
- Filename sanitization
This design oversight allows attackers to bypass intended image upload restrictions and place arbitrary executable files on the server.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker crafts a malicious HTTP request to the add_booking_type endpoint, including a file with a dangerous extension such as .php. The server accepts the upload without validation and stores the file in a web-accessible directory. The attacker then accesses the uploaded file directly via its URL, triggering execution of the malicious payload.
A typical attack flow involves:
- Identifying a WordPress site running a vulnerable version of WPBookit
- Crafting a multipart form request to the add_booking_type route with a PHP web shell disguised as an image upload
- Receiving the upload path from the server response
- Accessing the uploaded PHP file to execute arbitrary commands on the server
For detailed technical analysis, refer to the Wordfence Vulnerability Analysis and the WordPress Plugin Code Reference.
Detection Methods for CVE-2025-6058
Indicators of Compromise
- Unexpected PHP files or web shells in WordPress upload directories, particularly in paths associated with WPBookit
- HTTP POST requests to /wp-admin/admin-ajax.php or WPBookit API endpoints with file uploads containing executable extensions
- New files with suspicious names (e.g., randomized strings, common webshell names) in wp-content/uploads/ directories
- Outbound connections from the web server to unknown command-and-control infrastructure
Detection Strategies
- Monitor web server access logs for POST requests to add_booking_type endpoints with file attachments
- Implement file integrity monitoring on WordPress upload directories to detect unauthorized file creation
- Deploy web application firewall (WAF) rules to block uploads with executable file extensions to plugin endpoints
- Scan for known webshell signatures and suspicious PHP files in the WordPress installation
Monitoring Recommendations
- Enable detailed logging for all file upload operations in WordPress
- Configure real-time alerting for any PHP file creation in upload directories
- Implement network monitoring for unusual outbound traffic patterns from web servers
- Regularly audit WPBookit plugin version and ensure automatic update mechanisms are enabled
How to Mitigate CVE-2025-6058
Immediate Actions Required
- Update WPBookit plugin to the latest patched version immediately
- Audit WordPress upload directories for any suspicious or unauthorized files
- Temporarily disable the WPBookit plugin if an immediate update is not possible
- Review web server access logs for any evidence of exploitation attempts
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix is available in the WordPress Plugin Changeset Log. Site administrators should update to version 1.0.5 or later, which implements proper file type validation in the image_upload_handle() function.
Workarounds
- Implement server-level restrictions to block PHP execution in upload directories using .htaccess or web server configuration
- Deploy a web application firewall (WAF) with rules to block file uploads with executable extensions
- Restrict access to the WPBookit API endpoints using IP allowlisting or authentication middleware
- Consider removing or replacing the WPBookit plugin with an alternative if immediate patching is not feasible
# Apache .htaccess configuration to prevent PHP execution in uploads
# Place this file in wp-content/uploads/ directory
<FilesMatch "\.(?:php|phtml|php3|php4|php5|php7|phps|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
