CVE-2025-7852
WPBookit <= 1.0.6 - Unauthenticated Arbitrary File Upload via image_upload_handle Function
Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
In plain language
AI Act nowCVE-2025-7852 is a security hole in the WPBookit WordPress plugin where anyone on the internet can upload a file to your site without logging in, which can lead to attackers taking over your site. If you use WPBookit version 1.0.6 or older, you should act urgently.
WPBookit (<= 1.0.6) has an unauthenticated arbitrary file upload flaw (CWE-434) in its image_upload_handle function that accepts client-supplied files without proper validation, enabling webshell-style persistence and potential remote code execution after exploitation attempts against internet-facing WordPress sites.
What to do now
- Check whether your WordPress site uses the WPBookit plugin and identify its installed version.
- If you have WPBookit 1.0.6 or older, assume it is exposed and immediately remove the plugin or disable the vulnerable file-upload feature.
- Look for an updated WPBookit release from the vendor; apply it as soon as it is available.
- Scan your site for newly uploaded suspicious files (for example, webshells) and review web server logs for unexpected upload activity.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2025-7852 and every CVE in our database. Create a free account — no credit card required.
Create Free Account