Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
AnalysisAI
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
Technical ContextAI
BookingPress Pro is a commercial appointment-booking plugin for WordPress developed by Repute Infosystems (CPE: cpe:2.3:a:repute_infosystems:bookingpress_appointment_booking_pro). The flaw is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue: the form-submission handler bookingpress_validate_submitted_booking_form_func accepts files attached to a signature custom field without checking MIME type, extension, or content. WordPress plugins that write uploads beneath wp-content typically deposit them under the web root, so a PHP payload uploaded through the booking form is directly fetchable and executable by the PHP-FPM/Apache process running WordPress.
RemediationAI
Patch available per vendor advisory - upgrade BookingPress Pro to a release later than 5.6 as published by Repute Infosystems on https://www.bookingpressplugin.com/ and tracked at the Wordfence advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/ed738dc5-7848-4b04-a3fd-317cc366acfa?source=cve; an exact fixed version is not independently confirmed from the supplied data, so verify the changelog before deploying. If immediate patching is not possible, remove any signature custom field from booking forms in the BookingPress admin UI (this directly removes the upload code path the bug depends on, at the cost of losing signature collection on bookings), and as a defense-in-depth measure deny execution of PHP files inside the BookingPress uploads directory via web server rules (e.g., a location block or .htaccess denying .php) - this can break legitimate plugin functionality if it writes server-executed scripts, so test in staging. A WAF with WordPress file-upload signatures (Wordfence, Patchstack) should be enabled in blocking mode until the patch is applied.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31367
GHSA-qf4r-cjjc-2864