CVE-2025-7852

Name of the Vulnerable Software and Affected Versions WPBookit versions prior to 1.0.7

Description The WPBookit plugin for WordPress is susceptible to arbitrary file uploads due to a lack of file type validation in the image upload handle() function. This function is connected via the 'add new customer' route. The plugin uses move uploaded file() on client-supplied files without restricting allowed extensions or MIME types, or sanitizing the filename. This allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution.

Recommendations WPBookit versions prior to 1.0.7: Update to version 1.0.7 or later.