Cyber Resilience

CVE-2025-7852

CriticalUpdated

Published: 24 July 2025

Published
24 July 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0121 64.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-7852 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads in all versions through 1.0.6. The flaw resides in the image_upload_handle() function invoked through the add_new_customer route, which passes client-supplied files directly to move_uploaded_file() without extension, MIME-type, or filename validation. This corresponds to CWE-434 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can therefore upload arbitrary files to the server, enabling remote code execution on the affected WordPress site. No authentication or user interaction is required, and the attack can be performed over the network.

Public references, including the Wordfence advisory and the plugin’s Trac changeset 3331165, indicate that the issue is resolved by updating to a patched release that adds proper file-type restrictions. The current and peak EPSS scores remain low and unchanged at 0.0207.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file()…

more

on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary unauthenticated file upload in public-facing WordPress plugin directly enables T1190 exploitation and T1100 web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50002Shared CWE-434
CVE-2015-10135Shared CWE-434
CVE-2025-69312Shared CWE-434
CVE-2015-10144Shared CWE-434
CVE-2025-44658Shared CWE-434
CVE-2026-37748Shared CWE-434
CVE-2025-49387Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2026-6518Shared CWE-434
CVE-2025-67968Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of client-supplied file inputs for type, MIME, and content, addressing the missing validation in WPBookit's image_upload_handle() function.

prevent

Requires timely identification, reporting, and correction of flaws like the arbitrary file upload vulnerability in WPBookit versions up to 1.0.6 via patching.

prevent

Enforces restrictions on file extensions, MIME types, and filenames for uploads via the 'add_new_customer' route to block arbitrary file submissions.

References