CVE-2025-6058

Published Jul 12, 2025

Last updated 2 days ago

CVSS critical 9.8

Overview

Description
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source
security@wordfence.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-434

Social media

Hype score
Not currently trending

  1. CVE-2025-6058 i WPBookit-plugin för WordPress tillåter obehöriga filuppladdningar vilket kan leda till RCE. Viktigt för webbplatsägare att agera nu! #säkerhet #cybersäkerhet #CVE

    @Sakerhetsblogg

    12 Jul 2025

    2 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload 📄 CVE-2025-6058 | CVSS: 9.8 (Critical) 🔗 Allows attackers to upload arbitrary files and gain RCE on vulnerable WordPress sites. PoC:https://t.co/nnloLc43vT #WordPress #CVE #Security #CyberSecurity

    @Nxploited

    12 Jul 2025

    74 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  3. CVE-2025-6058 Unauthenticated Arbitrary File Upload Vulnerability in WPBookit WordPress Plugin https://t.co/oCoLPIBtQD

    @VulmonFeeds

    12 Jul 2025

    93 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-6058 The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_… https://t.co/Z7eHAUSJ4R

    @CVEnew

    12 Jul 2025

    557 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-6058: CRITICAL] WordPress plugin WPBookit has a security flaw letting attackers upload files on the server, leading to possible remote code execution. Update to version 1.0.5 to patch the vulnerability.#cve,CVE-2025-6058,#cybersecurity https://t.co/l11xle2ESL https://t.

    @CveFindCom

    12 Jul 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.