CVE-2025-6058 is a critical security vulnerability identified in the WPBookit plugin for WordPress, developed by iqonicdesign. The flaw stems from the absence of proper file type validation in the image_upload_handle() function, which is invoked via the 'add_booking_type' route. This deficiency allows unauthenticated attackers to upload arbitrary files, including potentially malicious scripts, to the server hosting the affected WordPress site. Since the plugin does not restrict the types of files uploaded, attackers can leverage this to execute remote code, compromising the server's confidentiality, integrity, and availability. The vulnerability affects all versions of WPBookit up to and including version 1.0.4. The CVSS v3.1 base score is 9.8, reflecting its critical severity with attack vector being network-based, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Although no patches have been released yet, the vulnerability is publicly disclosed and assigned by Wordfence. The lack of authentication requirements and the ease of exploitation make this a highly dangerous threat for WordPress sites using this plugin. Given WordPress's extensive use globally, the vulnerability poses a significant risk to a broad range of organizations, especially those relying on WPBookit for booking functionalities.

The impact of CVE-2025-6058 is severe for organizations worldwide using the WPBookit plugin. Successful exploitation allows attackers to upload arbitrary files, which can lead to remote code execution on the web server. This can result in full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within an organization's network. The vulnerability affects confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially causing service disruptions or denial of service. Since the exploit requires no authentication or user interaction, the attack surface is broad, increasing the likelihood of automated exploitation attempts. Organizations running WordPress sites with this plugin, especially those handling sensitive customer data or critical business functions, face significant operational and reputational risks. Additionally, compromised servers could be enlisted in botnets or used to distribute malware, amplifying the threat beyond the initial target.

To mitigate CVE-2025-6058, organizations should immediately audit their WordPress installations for the presence of the WPBookit plugin and its version. If the plugin is installed, disable or remove it until a security patch is released by iqonicdesign. In the absence of an official patch, implement web application firewall (WAF) rules to block or filter suspicious file upload attempts targeting the 'add_booking_type' route. Restrict file upload permissions on the server to prevent execution of uploaded files and isolate the upload directory from the web root if possible. Monitor server logs for unusual upload activity or access patterns. Additionally, enforce strict file type validation and scanning at the application or server level as a temporary control. Regularly back up website data and maintain an incident response plan to quickly address any compromise. Engage with the plugin vendor for updates and apply patches promptly once available. Consider alternative booking plugins with a stronger security track record if immediate patching is not feasible.