CVE-2025-7852 is an arbitrary file upload vulnerability in the WPBookit plugin for WordPress affecting all versions through 1.0.6. The flaw is caused by missing file type validation in the image_upload_handle() function exposed through the add_new_customer route. The upload handler passes client-supplied files to move_uploaded_file() without enforcing an allowlist of extensions or MIME types and without sanitizing the supplied filename. As a result, an unauthenticated attacker can upload arbitrary files to the server. If the uploaded file is placed in a web-accessible location and interpreted by the server as executable code, the vulnerability can be leveraged for remote code execution.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in WPBookit listed among the flaws targeted by the operation.
A vulnerability in the WPBookit WordPress plugin that was directly targeted in the WP-SHELLSTORM campaign.
A publicly known vulnerability affecting the WPBookit WordPress plugin that is being exploited in a large-scale campaign targeting CMS platforms for webshell deployment.
An arbitrary file upload vulnerability in WPBookit that produced a small number of confirmed compromises.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.