{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25413", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:19.002Z", "datePublished": "2026-03-25T16:14:48.675Z", "dateUpdated": "2026-03-25T16:14:48.675Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "wpbookit-pro", "product": "WPBookit Pro", "vendor": "iqonicdesign", "versions": [{"lessThanOrEqual": "<= 1.6.18", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.435Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.<p>This issue affects WPBookit Pro: from n/a through <= 1.6.18.</p>"}], "value": "Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18."}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "Using Malicious Files"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.675Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-arbitrary-file-upload-vulnerability?_s_id=cve"}], "title": "WordPress WPBookit Pro plugin <= 1.6.18 - Arbitrary File Upload vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18."}], "id": "CVE-2026-25413", "lastModified": "2026-03-25T17:16:50.040", "metrics": {}, "published": "2026-03-25T17:16:50.040", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpbookit-pro/vulnerability/wordpress-wpbookit-pro-plugin-1-6-18-arbitrary-file-upload-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:54:03.261386+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of WPBookit Pro released after 1.6.18 that includes the upload validation fix.", "If an upgrade is not immediately possible, deactivate or uninstall the plugin, and delete any files that have been uploaded through it.", "Reconfigure the server so that the upload directory blocks execution of uploaded files and restricts allowed MIME types to a safe list (e.g., images only).", "Monitor upload logs and web server logs for unexpected activity."], "summary": {"action": "Apply Patch", "impact": "Unrestricted File Upload"}, "threat_synthesis": {"affected_systems": "All installations of the WPBookit Pro plugin by iqonicdesign with a version equal to or older than 1.6.18 are vulnerable. The flaw exists in every release from the earliest version through 1.6.18; no patch versions are documented in the current data.", "description_and_impact": "The WPBookit Pro plugin contains a flaw that allows any user to upload arbitrary files to the server. By doing so, malicious code can be placed in a publicly served location, potentially enabling remote code execution. This vulnerability is cataloged as CWE\u2011434, denoting unrestricted upload of a dangerous file type.", "risk_and_exploitability": "Documentation does not provide a CVSS or EPSS score, and the vulnerability is not listed in the CISA KEV catalog, so a precise severity cannot be assigned. However, arbitrary file upload is generally considered a high\u2011risk vulnerability. Based on the description, it is inferred that an attacker can exploit the upload functionality\u2014likely available to authenticated users or to the public depending on site configuration\u2014to place malicious files in the server\u2019s upload directory. Delivering an executable file could lead to remote code execution and full compromise of the affected site."}}}}, "created": "2026-03-25T21:44:33.674829+00:00", "updated": "2026-03-25T21:44:33.674877+00:00", "vendors": []}