CVE-2025-6058
Published: 12 July 2025
Summary
CVE-2025-6058 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Iqonic Wpbookit. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function, which is hooked via the 'add_booking_type' route. This issue affects all versions up to and including 1.0.4 and is tracked as CWE-434, carrying a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the flaw over the network to upload arbitrary files to the server, which may enable remote code execution and full compromise of the affected site.
Public references include a Wordfence advisory and WordPress plugin repository changesets that document the vulnerable code path and subsequent fix, indicating that site administrators should apply the available plugin update to remediate the issue. The associated EPSS score has reached a peak of 0.2904.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21201
Vulnerability details
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated…
more
attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary unauthenticated file upload in public-facing WP plugin directly enables T1190 exploitation and T1100 web shell deployment for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the arbitrary file upload flaw in the WPBookit plugin, eliminating the vulnerability through patching.
Mandates validation of information inputs such as file types and contents at upload points, directly countering the missing file type validation in image_upload_handle().
Limits and controls permitted actions without identification or authentication, preventing unauthenticated exploitation of the 'add_booking_type' route for file uploads.