CVE-2025-7852
Published: 24 July 2025
Summary
CVE-2025-7852 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads in all versions through 1.0.6. The flaw resides in the image_upload_handle() function invoked through the add_new_customer route, which passes client-supplied files directly to move_uploaded_file() without extension, MIME-type, or filename validation. This corresponds to CWE-434 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can therefore upload arbitrary files to the server, enabling remote code execution on the affected WordPress site. No authentication or user interaction is required, and the attack can be performed over the network.
Public references, including the Wordfence advisory and the plugin’s Trac changeset 3331165, indicate that the issue is resolved by updating to a patched release that adds proper file-type restrictions. The current and peak EPSS scores remain low and unchanged at 0.0207.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22478
Vulnerability details
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file()…
more
on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary unauthenticated file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1100 web shell deployment for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of client-supplied file inputs for type, MIME, and content, addressing the missing validation in WPBookit's image_upload_handle() function.
Requires timely identification, reporting, and correction of flaws like the arbitrary file upload vulnerability in WPBookit versions up to 1.0.6 via patching.
Enforces restrictions on file extensions, MIME types, and filenames for uploads via the 'add_new_customer' route to block arbitrary file submissions.