A critical vulnerability exists in the WPBookit plugin for WordPress, identified as CVE-2025-6058 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload arbitrary files, including malicious scripts, to a vulnerable website. Successful exploitation could result in a complete system compromise, leading to data theft, website defacement, and further network intrusion.

The plugin contains an arbitrary file upload vulnerability within its image_upload_handle() function. This function, accessible via the add_booking_type route, fails to properly validate the types of files being uploaded. An unauthenticated attacker can craft a request to this endpoint to upload a malicious file (e.g., a PHP web shell) disguised as a standard image, bypassing any intended restrictions. Once the malicious file is on the server, the attacker can execute it, achieving remote code execution in the context of the web server user.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a complete compromise of the web server hosting the WordPress site. The potential business impact includes, but is not limited to, the theft of sensitive data such as customer information and payment details, significant reputational damage, financial loss from business disruption, and the use of the compromised server as a pivot point for further attacks against the internal network or to distribute malware.

Immediate Action: Immediately update the WPBookit plugin for WordPress to the latest patched version on all instances. After patching, it is crucial to monitor for any signs of prior exploitation by reviewing server access logs and scanning for unauthorized files.

Proactive Monitoring:

• Log Analysis: Review web server access logs for POST requests to endpoints associated with the add_booking_type route. Scrutinize the WordPress uploads directory for suspicious files (e.g., .php, .phtml, .phar) or files with unexpected names or timestamps.
• File Integrity Monitoring (FIM): Implement or review FIM alerts for unexpected file creation or modification within the WordPress core, plugin, and upload directories.
• Network Traffic: Monitor for unusual outbound network connections originating from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Web Application Firewall (WAF): Deploy a WAF with rules specifically designed to block malicious file uploads and requests targeting the vulnerable add_booking_type endpoint.
• Disable Plugin: If the plugin's functionality is not critical, disable and uninstall it until patching can be completed.
• Server Hardening: Configure the web server to prevent the execution of scripts (e.g., PHP) from within the /wp-content/uploads/ directory.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability poses a severe risk to the organization. We strongly recommend that all teams responsible for WordPress instances identify systems running the WPBookit plugin and apply the vendor-supplied security patch immediately as a top priority. If patching cannot be performed right away, the plugin should be disabled to remove the attack surface. Organizations should assume they are being targeted and proactively hunt for indicators of compromise as outlined in the monitoring plan.