CVE-2025-0357

CVE-2025-0357 is a critical vulnerability in the WPBookit plugin for WordPress, affecting versions up to and including 1.6.9. It stems from insufficient file type validation in the WPB_Profile_controller::handle_image_upload function, enabling arbitrary file uploads. This flaw, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By uploading arbitrary files to the affected WordPress site's server, they may achieve remote code execution, potentially compromising the entire server.

Advisories and patch information are available in the WPBookit change log at https://documentation.iqonic.design/wpbookit/versions/change-log and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/19bf7a68-e76d-4740-9f35-b6084094f59b?source=cve, which detail mitigation steps and updates addressing the issue.