WPBookit WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability exists in the WPBookit plugin for WordPress, allowing unauthenticated users to upload arbitrary files. This issue arises from inadequate file type validation in the 'image_upload_handle()' function, which is linked to the 'add_new_customer' route. The vulnerability affects all versions of the WPBookit plugin up to and including 1.0.6. The plugin's image upload handler uses 'move_uploaded_file()' to process client-supplied files without restricting allowed file extensions or MIME types, and it fails to sanitize the filename. As a result, attackers could potentially upload malicious files that could be executed remotely, leading to a severe security risk.

Impact

Successful exploitation allows for arbitrary file uploads, which could be leveraged to execute malicious files on the server, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a request to the 'add_new_customer' route of the WPBookit plugin version 1.0.6 or earlier. Include a file in the request without proper validation of the file type or MIME type. The uploaded file will be processed by the 'image_upload_handle()' function', where the lack of validation will be exploited, allowing for arbitrary file uploads.

Remediation

Users are advised to update the WPBookit plugin to version 1.0.7 or later, where this vulnerability has been patched.