CVE-2025-7852 is a critical security vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WPBookit plugin for WordPress, developed by iqonicdesign. The flaw resides in the image_upload_handle() function, which is triggered via the 'add_new_customer' route. This function fails to validate the file type or MIME type of uploaded files and does not sanitize filenames before calling PHP's move_uploaded_file() function. Consequently, attackers can upload arbitrary files, including malicious scripts, without any authentication or user interaction. This unrestricted file upload can lead to remote code execution (RCE) if the uploaded file is a web shell or other executable code. The vulnerability affects all versions of WPBookit up to and including 1.0.6. The CVSS v3.1 base score is 9.8, reflecting the critical nature of the vulnerability with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits are currently reported in the wild, the ease of exploitation and potential impact make this a high-risk issue. The lack of patch links suggests that a fix may not yet be publicly available, increasing urgency for mitigation.

The impact of CVE-2025-7852 is severe for organizations using the WPBookit plugin on WordPress sites. Successful exploitation allows unauthenticated attackers to upload arbitrary files, which can lead to remote code execution, full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks. This can result in loss of confidentiality, integrity, and availability of the affected web server and potentially the broader network. Given WordPress's widespread use, especially among small to medium businesses and service providers, many organizations could be exposed. The vulnerability could also be leveraged to deploy ransomware, malware, or conduct phishing campaigns from compromised sites. The absence of authentication and user interaction requirements significantly increases the attack surface and likelihood of exploitation. Organizations relying on WPBookit for booking or customer management services face operational disruptions and reputational damage if exploited.

To mitigate CVE-2025-7852, organizations should immediately: 1) Update the WPBookit plugin to a patched version once released by the vendor. If no patch is available, temporarily disable or remove the plugin to eliminate exposure. 2) Implement web application firewall (WAF) rules to block suspicious file upload attempts and restrict allowed file types to safe image formats only. 3) Employ server-side validation to enforce strict MIME type and file extension checks before accepting uploads. 4) Sanitize and normalize filenames to prevent directory traversal or code execution. 5) Restrict file upload directories with appropriate permissions to prevent execution of uploaded files. 6) Monitor web server logs for unusual upload activity or access patterns. 7) Conduct regular security audits and vulnerability scans focusing on WordPress plugins. 8) Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. These steps go beyond generic advice by emphasizing immediate plugin removal if patches are unavailable and leveraging WAF and server configuration controls to reduce risk.