CVE-2025-6058 is a critical vulnerability identified in the WPBookit plugin for WordPress, developed by iqonicdesign. The vulnerability stems from improper validation of file types in the image_upload_handle() function, which is triggered via the 'add_booking_type' route. This flaw allows unauthenticated attackers to upload arbitrary files to the server hosting the affected WordPress site. Since the plugin fails to restrict or validate the types of files uploaded, attackers can potentially upload malicious scripts or executables. This can lead to remote code execution (RCE), enabling attackers to execute arbitrary code on the server, compromise the website, steal sensitive data, or pivot to other internal systems. The vulnerability affects all versions up to and including 1.0.4 of WPBookit. The CVSS v3.1 score is 9.8 (critical), reflecting the high impact and ease of exploitation (no authentication or user interaction required). Although no public exploits have been reported in the wild yet, the vulnerability's nature and severity make it a prime target for attackers. The CWE-434 classification highlights the core issue as unrestricted file upload of dangerous types, a common vector for web application compromise. Given the widespread use of WordPress and the popularity of booking plugins for service-oriented websites, this vulnerability poses a significant risk to affected sites.

For European organizations, the impact of this vulnerability can be severe. Many businesses, including hotels, travel agencies, event organizers, and service providers, rely on WordPress plugins like WPBookit to manage bookings and customer interactions. Exploitation could lead to full server compromise, data breaches involving personal customer data (including GDPR-protected information), service disruption, and reputational damage. Attackers could use the vulnerability to deploy ransomware, steal payment information, or conduct further lateral attacks within corporate networks. The criticality of the vulnerability means that even small and medium enterprises using WPBookit are at risk, potentially affecting a broad range of sectors such as hospitality, tourism, and event management across Europe. Additionally, compromised websites could be used as launchpads for phishing campaigns or malware distribution, amplifying the threat landscape regionally.

Immediate mitigation steps include updating the WPBookit plugin to a patched version once released by iqonicdesign. Until a patch is available, organizations should consider disabling the plugin or restricting access to the 'add_booking_type' route through web application firewalls (WAFs) or server-level access controls. Implementing strict file upload validation rules at the server or application level can help prevent malicious file types from being accepted. Monitoring web server logs for suspicious upload attempts and scanning for unauthorized files can aid early detection. Employing security plugins that detect and block malicious uploads and ensuring the WordPress core and all plugins/themes are regularly updated reduces overall risk. Organizations should also conduct thorough security audits and penetration testing focused on file upload functionalities. Finally, applying the principle of least privilege to the web server and plugin file system permissions can limit the impact of a successful exploit.