CVE-2025-6057
Published: 12 July 2025
Summary
CVE-2025-6057 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Iqonic Wpbookit. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function. This affects all versions up to and including 1.0.4 and is tracked as CVE-2025-6057 with a CVSS 3.1 score of 8.8 and CWE-434.
Authenticated attackers with Subscriber-level access or higher can exploit the flaw by uploading arbitrary files to the server, which may enable remote code execution on the affected site. The vulnerability is exploitable over the network without user interaction.
Advisories referenced in the Wordfence threat intelligence entry and the plugin's WordPress.org and Trac records indicate that the issue was addressed via a code change in changeset 3326098, with the fixed version available through the official plugin repository at wordpress.org/plugins/wpbookit. The associated EPSS score remains flat at 0.0261 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21200
Vulnerability details
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and…
more
above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables T1190 (initial access via public app exploit) and web shell deployment (T1100/T1505.003) leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates validation of file types and content in uploads, directly countering the missing file type validation in the WPBookit plugin's handle_image_upload() function.
Requires timely identification, reporting, and patching of the arbitrary file upload flaw in WPBookit versions up to 1.0.4.
Deploys malicious code protection mechanisms to scan and block potentially executable files uploaded via the vulnerability.