CVE-2025-7852 Overview
The WPBookit plugin for WordPress contains a critical arbitrary file upload vulnerability in the image_upload_handle() function. This function, accessible via the add_new_customer route, fails to validate file types before processing uploads. The plugin directly calls move_uploaded_file() on client-supplied files without restricting allowed extensions or MIME types, and without sanitizing the filename. This flaw enables unauthenticated attackers to upload arbitrary files, including malicious PHP scripts, potentially leading to remote code execution on the affected WordPress site.
Critical Impact
Unauthenticated attackers can upload arbitrary files including web shells, enabling complete server compromise and remote code execution without any authentication requirements.
Affected Products
- WPBookit WordPress Plugin versions up to and including 1.0.6
- WordPress sites running vulnerable WPBookit versions
Discovery Timeline
- 2025-07-24 - CVE-2025-7852 published to NVD
- 2025-07-25 - Last updated in NVD database
Technical Details for CVE-2025-7852
Vulnerability Analysis
This vulnerability represents a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) weakness in the WPBookit WordPress plugin. The vulnerable code path exists within the image_upload_handle() function located in the customer controller class. When processing image uploads through the add_new_customer route, the function accepts any file submitted by the client without performing security checks.
The absence of file type validation creates a direct path for attackers to upload executable content. Since WordPress plugins typically execute in the web root context, uploaded PHP files can be accessed directly via HTTP requests, providing immediate code execution capabilities.
Root Cause
The root cause stems from insecure file upload handling in the image_upload_handle() function within class.wpb-customer-controller.php. The function directly processes user-supplied files using move_uploaded_file() without implementing essential security controls:
- No file extension whitelist or blacklist validation
- No MIME type verification or content inspection
- No filename sanitization to prevent path traversal or special characters
- No authentication requirement to access the upload endpoint
This design allows any remote user to submit files with arbitrary extensions (such as .php) through the customer registration form.
Attack Vector
The vulnerability is exploitable over the network without authentication. An attacker can craft a malicious HTTP POST request to the add_new_customer endpoint, including a PHP web shell or other malicious script disguised as an image upload. Once uploaded, the attacker can access the file directly via the web server to execute arbitrary commands with the privileges of the web server process.
The attack flow involves:
- Identifying a WordPress site running vulnerable WPBookit versions
- Crafting a multipart form request targeting the add_new_customer route
- Uploading a PHP file containing malicious code
- Accessing the uploaded file via HTTP to trigger code execution
Since no authentication is required to access the upload functionality, the attack surface is significantly expanded.
Detection Methods for CVE-2025-7852
Indicators of Compromise
- Unusual PHP files appearing in WordPress upload directories with non-standard naming patterns
- Web server logs showing POST requests to the add_new_customer endpoint followed by requests to newly created files
- Unexpected outbound network connections from the web server process
- Modified .htaccess files or new PHP files in plugin directories
Detection Strategies
- Monitor file creation events in WordPress upload directories, specifically for executable file types (.php, .phtml, .phar)
- Implement web application firewall (WAF) rules to inspect multipart form uploads for PHP content signatures
- Review web server access logs for patterns indicating exploitation attempts against the add_new_customer route
- Deploy file integrity monitoring on the WordPress installation to detect unauthorized file additions
Monitoring Recommendations
- Enable detailed logging for the WPBookit plugin and WordPress upload functionality
- Configure alerts for new PHP file creation events in the wp-content/uploads directory tree
- Monitor for web shell signatures and suspicious command execution patterns in server logs
- Implement network traffic analysis to detect post-exploitation command and control communications
How to Mitigate CVE-2025-7852
Immediate Actions Required
- Update WPBookit plugin immediately to the latest patched version
- Review WordPress upload directories for any suspicious or unexpected PHP files
- If unable to update immediately, disable or remove the WPBookit plugin until patching is possible
- Scan the WordPress installation for web shells or other indicators of compromise
Patch Information
A security patch is available via WordPress Changeset 3331165. Users should update the WPBookit plugin to the latest available version through the WordPress admin dashboard or by downloading directly from the WordPress Plugin Directory.
For technical details on the vulnerable code, refer to the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Workarounds
- Implement web server configuration to deny execution of PHP files in upload directories
- Add .htaccess rules to block direct access to the add_new_customer endpoint if not needed
- Deploy a WAF rule to filter file uploads containing PHP code signatures
- Restrict the upload directory permissions to prevent script execution
# Apache configuration to prevent PHP execution in uploads directory
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.php$">
Require all denied
</FilesMatch>
php_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
