CVE-2025-6058

Critical CVSS: 9.8

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Vendor

Iqonic

Product

Wpbookit

CWE

CWE-434

Yayın Tarihi

2025-07-12 05:15:22

Güncelleme

2025-07-16 14:57:37

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-434 Wpbookit CRITICAL Iqonic 2025

Referanslar

https://plugins.trac.wordpress.org/browser/wpbookit/trunk/core/admin/classes/controllers/class.wpb-booking-type-controller.php#L455 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3314288%40wpbookit&new=3314288%40wpbookit&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/1d779ad1-fdbe-444c-85c5-99146a1a03d8?source=cve

Benzer Kayıtlar

High

CVE-2025-6057

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the han…

Critical

CVE-2025-3810

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…

Critical

CVE-2025-3811

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…

Medium

CVE-2025-32254

Missing Authorization vulnerability in Iqonic Design WPBookit wpbookit allows Accessing Functionality Not Properly Const…

Medium

CVE-2025-26910

Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit wpbookit allows Stored XSS.This issue affects…

Medium

CVE-2025-1572

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i…