CVE-2025-6058
📋 TL;DR
The WPBookit WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected websites. All WordPress sites using WPBookit version 1.0.4 or earlier are vulnerable.
💻 Affected Systems
- WPBookit WordPress Plugin
📦 What is this software?
Wpbookit by Iqonic
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for malicious activities.
Likely Case
Attackers upload web shells to gain persistent access, install malware, or use the server as part of a botnet.
If Mitigated
File uploads are blocked or properly validated, preventing malicious file execution while maintaining plugin functionality.
🎯 Exploit Status
Simple file upload vulnerability with no authentication required. Attackers can easily craft malicious file uploads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3314288%40wpbookit&new=3314288%40wpbookit&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find WPBookit and click 'Update Now'. 4. Verify version is 1.0.5 or higher.
🔧 Temporary Workarounds
Disable WPBookit Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wpbookit
Restrict File Uploads via .htaccess
linuxBlock PHP and other executable file uploads to the uploads directory
Add to .htaccess in wp-content/uploads: <FilesMatch "\.(php|php5|php7|phtml|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Disable the WPBookit plugin immediately
- Implement web application firewall rules to block file uploads to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WPBookit version 1.0.4 or earlierCheck Version:
wp plugin get wpbookit --field=versionVerify Fix Applied:
Verify WPBookit version is 1.0.5 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=add_booking_type
- File uploads with non-image extensions to uploads directory
- New PHP files in wp-content/uploads with suspicious names
Network Indicators:
- POST requests to admin-ajax.php with file uploads from unauthenticated sources
- Traffic to newly created PHP files in uploads directory
SIEM Query:
source="web_server" AND (uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="add_booking_type") OR (uri CONTAINS "/wp-content/uploads/" AND uri ENDS WITH ".php")🔗 References
- https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-booking-type-controller.php#L455
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3314288%40wpbookit&new=3314288%40wpbookit&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1d779ad1-fdbe-444c-85c5-99146a1a03d8?source=cve
