CVE-2026-25413
Unrestricted File Upload in WPBookit Pro Allows Malicious Files
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iqonicdesign | wpbookit_pro | to 1.6.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in WPBookit Pro Plugin versions up to and including 1.6.18 is an Arbitrary File Upload flaw. It allows attackers with subscriber or developer privileges to upload any type of file to a website, including malicious files such as backdoors.
This means an attacker can inject harmful files that can be executed to gain unauthorized access or control over the affected website.
The issue is categorized under OWASP Top 10 A3: Injection and has a high severity score of 9.9.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your website through malicious backdoors uploaded by attackers.
Attackers can execute these malicious files to compromise the website, potentially leading to data breaches, defacement, or use of the site for further attacks.
Because the vulnerability requires only subscriber or developer privileges to exploit, it poses a high risk even if the attacker has limited initial access.
There is currently no official patch, so immediate mitigation or assistance from hosting providers or developers is strongly advised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows attackers to upload arbitrary files, including malicious backdoors, to the affected WordPress site. Detection can involve monitoring for unusual file uploads or unexpected file types in the upload directories of the WPBookit Pro plugin.
Since the vulnerability requires only subscriber or developer privileges to exploit, checking for suspicious files uploaded by such users can help detect exploitation attempts.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule that can block attacks exploiting this vulnerability until an official patch is released.
Users should monitor for updates and apply the official patch as soon as it becomes available.
If a patch is not yet available, seek assistance from your hosting provider or web developer to implement the Patchstack mitigation.
Due to the high risk and potential for mass exploitation, immediate mitigation or resolution is strongly advised.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to upload and execute malicious files, potentially leading to unauthorized access and data breaches.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided information does not explicitly mention compliance impacts or regulatory considerations.