CVE-2026-25413 identifies a critical security vulnerability in the WPBookit Pro WordPress plugin developed by iqonicdesign. The issue is an unrestricted file upload vulnerability that allows attackers to upload files with dangerous types, such as executable scripts or web shells, without adequate validation or restriction. This vulnerability affects all versions up to and including 1.6.18. Because the plugin does not properly restrict or sanitize uploaded file types, an attacker can upload malicious files that could be executed on the server, leading to remote code execution (RCE), website defacement, data theft, or pivoting within the hosting environment. The vulnerability was reserved in early 2026 and published in March 2026, with no known exploits reported in the wild yet. However, the nature of unrestricted file upload vulnerabilities makes them highly attractive targets for attackers. The plugin is used to manage booking functionalities on WordPress sites, which may be integrated into business websites, increasing the potential impact. No official patches or mitigation links are currently available, so organizations must implement interim controls. The absence of a CVSS score requires an expert severity assessment based on the technical details and potential impact.

The unrestricted upload of dangerous file types can have severe consequences for affected organizations. Successful exploitation could allow attackers to execute arbitrary code on the web server, leading to full site compromise. This can result in data breaches, including theft of sensitive customer information, defacement of websites, insertion of malware or ransomware, and use of compromised servers as a foothold for further attacks within the network. For businesses relying on WPBookit Pro for booking and customer management, this could disrupt operations and damage reputation. The impact extends to the confidentiality, integrity, and availability of the affected systems. Given the plugin’s integration with WordPress, a widely used CMS, the scope of affected systems could be significant. Although no exploits are currently known in the wild, the vulnerability’s characteristics make it a high-value target for attackers, especially those targeting small to medium enterprises using WordPress plugins without rigorous security controls.

Until an official patch is released by iqonicdesign, organizations should take immediate steps to mitigate the risk. First, restrict file upload types at the web server or application firewall level to allow only safe file formats (e.g., images such as .jpg, .png). Implement strict server-side validation and sanitization of all uploaded files. Disable or limit file upload functionality if not essential. Monitor web server logs and file upload directories for suspicious or unexpected files. Employ a Web Application Firewall (WAF) with rules to detect and block malicious upload attempts. Keep WordPress core, themes, and other plugins updated to reduce the attack surface. Consider isolating the plugin’s upload directory with restrictive permissions to prevent execution of uploaded files. Regularly back up website data and test restoration procedures. Finally, subscribe to vendor advisories and security mailing lists to apply patches promptly once available.