CVE-2026-25413
Received Received - Intake
Unrestricted File Upload in WPBookit Pro Allows Malicious Files

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25413
EUVD
EUVD-2026-15720
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iqonicdesign wpbookit_pro to 1.6.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to upload and execute malicious files, potentially leading to unauthorized access and data breaches.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Executive Summary

The vulnerability in WPBookit Pro Plugin versions up to and including 1.6.18 is an Arbitrary File Upload flaw. It allows attackers with subscriber or developer privileges to upload any type of file to a website, including malicious files such as backdoors.

This means an attacker can inject harmful files that can be executed to gain unauthorized access or control over the affected website.

The issue is categorized under OWASP Top 10 A3: Injection and has a high severity score of 9.9.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to your website through malicious backdoors uploaded by attackers.

Attackers can execute these malicious files to compromise the website, potentially leading to data breaches, defacement, or use of the site for further attacks.

Because the vulnerability requires only subscriber or developer privileges to exploit, it poses a high risk even if the attacker has limited initial access.

There is currently no official patch, so immediate mitigation or assistance from hosting providers or developers is strongly advised.

Detection Guidance

This vulnerability allows attackers to upload arbitrary files, including malicious backdoors, to the affected WordPress site. Detection can involve monitoring for unusual file uploads or unexpected file types in the upload directories of the WPBookit Pro plugin.

Since the vulnerability requires only subscriber or developer privileges to exploit, checking for suspicious files uploaded by such users can help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule that can block attacks exploiting this vulnerability until an official patch is released.

Users should monitor for updates and apply the official patch as soon as it becomes available.

If a patch is not yet available, seek assistance from your hosting provider or web developer to implement the Patchstack mitigation.

Due to the high risk and potential for mass exploitation, immediate mitigation or resolution is strongly advised.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart