Skip to main content

BookingPress Pro CVE-2026-6960

| EUVDEUVD-2026-31367 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-21 Wordfence GHSA-qf4r-cjjc-2864
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:30 vuln.today

DescriptionCVE.org

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.

AnalysisAI

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.

Technical ContextAI

BookingPress Pro is a commercial appointment-booking plugin for WordPress developed by Repute Infosystems (CPE: cpe:2.3:a:repute_infosystems:bookingpress_appointment_booking_pro). The flaw is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) issue: the form-submission handler bookingpress_validate_submitted_booking_form_func accepts files attached to a signature custom field without checking MIME type, extension, or content. WordPress plugins that write uploads beneath wp-content typically deposit them under the web root, so a PHP payload uploaded through the booking form is directly fetchable and executable by the PHP-FPM/Apache process running WordPress.

RemediationAI

Patch available per vendor advisory - upgrade BookingPress Pro to a release later than 5.6 as published by Repute Infosystems on https://www.bookingpressplugin.com/ and tracked at the Wordfence advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/ed738dc5-7848-4b04-a3fd-317cc366acfa?source=cve; an exact fixed version is not independently confirmed from the supplied data, so verify the changelog before deploying. If immediate patching is not possible, remove any signature custom field from booking forms in the BookingPress admin UI (this directly removes the upload code path the bug depends on, at the cost of losing signature collection on bookings), and as a defense-in-depth measure deny execution of PHP files inside the BookingPress uploads directory via web server rules (e.g., a location block or .htaccess denying .php) - this can break legitimate plugin functionality if it writes server-executed scripts, so test in staging. A WAF with WordPress file-upload signatures (Wordfence, Patchstack) should be enabled in blocking mode until the patch is applied.

Share

CVE-2026-6960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy