CVE-2025-6058: 
WordPress vulnerability analysis and mitigation

The WPBookit plugin for WordPress (versions up to and including 1.0.4) contains an arbitrary file upload vulnerability (CVE-2025-6058) discovered on July 12, 2025. The vulnerability exists in the imageuploadhandle() function hooked via the 'addbookingtype' route, which lacks proper file type validation (NVD).

The vulnerability stems from insufficient file type validation in the imageuploadhandle() function. While the function attempts to validate file types, it does so after moving the uploaded file, creating a window for exploitation. The vulnerability has been assigned a CVSS v3.1 score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, potentially enabling remote code execution. This could lead to complete system compromise, allowing attackers to gain unauthorized access to sensitive data, modify website content, or use the server for malicious purposes (NVD).

The vulnerability has been patched in version 1.0.5 of the WPBookit plugin. Site administrators are strongly advised to update to this version immediately. The patch implements proper file type validation before file upload processing (WordPress Plugin).