Cyber Resilience

CVE-2025-6057

HighUpdated

Published: 12 July 2025

Published
12 July 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 46.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-6057 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Iqonic Wpbookit. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function. This affects all versions up to and including 1.0.4 and is tracked as CVE-2025-6057 with a CVSS 3.1 score of 8.8 and CWE-434.

Authenticated attackers with Subscriber-level access or higher can exploit the flaw by uploading arbitrary files to the server, which may enable remote code execution on the affected site. The vulnerability is exploitable over the network without user interaction.

Advisories referenced in the Wordfence threat intelligence entry and the plugin's WordPress.org and Trac records indicate that the issue was addressed via a code change in changeset 3326098, with the fixed version available through the official plugin repository at wordpress.org/plugins/wpbookit. The associated EPSS score remains flat at 0.0261 with no material increase observed after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and…

more

above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin directly enables T1190 (initial access via public app exploit) and web shell deployment (T1100/T1505.003) leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-6058Same product: Iqonic Wpbookit
CVE-2025-0357Same product: Iqonic Wpbookit
CVE-2025-26910Same product: Iqonic Wpbookit
CVE-2024-10215Same product: Iqonic Wpbookit
CVE-2026-27067Shared CWE-434
CVE-2025-62056Shared CWE-434
CVE-2026-38526Shared CWE-434
CVE-2025-67924Shared CWE-434
CVE-2025-1572Same vendor: Iqonic
CVE-2021-47888Shared CWE-434

Affected Assets

iqonic
wpbookit
≤ 1.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates validation of file types and content in uploads, directly countering the missing file type validation in the WPBookit plugin's handle_image_upload() function.

prevent

Requires timely identification, reporting, and patching of the arbitrary file upload flaw in WPBookit versions up to 1.0.4.

preventdetect

Deploys malicious code protection mechanisms to scan and block potentially executable files uploaded via the vulnerability.

References