A critical vulnerability has been identified in the WPBookit plugin for WordPress, which allows an unauthenticated attacker to upload malicious files to an affected website. This flaw stems from a failure to validate file types during the upload process. Successful exploitation could grant an attacker full control over the website, leading to data theft, service disruption, or further compromise of the hosting environment.

The vulnerability exists within the handle_image_upload() function of the WPBookit plugin. This function does not properly validate the type of file being uploaded, a flaw known as Unrestricted File Upload. An attacker can exploit this by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as an image file. Because the server-side code fails to check the file's extension or content, the malicious file is saved to the web server, allowing the attacker to execute it by accessing its URL and achieve remote code execution on the server.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the business. A successful attack could lead to a complete compromise of the WordPress site, resulting in severe consequences such as the theft of sensitive customer data or intellectual property, financial loss from fraudulent activities, and significant reputational damage. The compromised website could also be used to host malware or launch phishing attacks against customers, creating further liability and cleanup costs for the organization.

Immediate Action: Immediately update the WPBookit plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it from the WordPress installation to eliminate the threat.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's file upload endpoints. Implement File Integrity Monitoring (FIM) to detect the creation of unexpected files (e.g., .php, .phtml, .sh) in the WordPress uploads directory (/wp-content/uploads/). Network monitoring should be used to detect any unusual outbound connections from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to inspect file uploads and block executable file types. Additionally, configure the web server to deny execution permissions for files within the uploads directory, which can prevent an uploaded web shell from being executed.

Public Exploit Available: false

This vulnerability presents a critical risk that could lead to a full server compromise. Given the high CVSS score of 8.8 and the ease of exploitation, we recommend immediate action. Organizations must prioritize applying the vendor-supplied patch or removing the vulnerable plugin entirely. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity dictates that it should be treated with the highest urgency to prevent potential compromise.