Critical severity9.8NVD Advisory· Published May 21, 2026

CVE-2026-6960

Description

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated arbitrary file upload in WordPress BookingPress Pro plugin <=5.6 leads to remote code execution when a signature custom field is used.

The BookingPress Pro plugin for WordPress, up to and including version 5.6, contains an arbitrary file upload vulnerability in the bookingpress_validate_submitted_booking_form_func function [1]. The flaw arises from missing file type validation, allowing attackers to upload files with arbitrary extensions.

The vulnerability can be exploited by unauthenticated attackers, but only if a signature custom field has been added to the booking form [1]. An attacker can craft a malicious file (e.g., a PHP web shell) and upload it through the vulnerable function without authentication.

Successful exploitation results in arbitrary file upload on the server, which can lead to remote code execution [1]. An attacker could execute commands, access sensitive data, or compromise the entire WordPress site.

As of the publication date, the vulnerability affects all versions up to and including 5.6. Users are advised to update to a patched version if available, or remove the signature custom field from booking forms to mitigate the risk [1].

References

WordPress Booking Plugin for Appointment - BookingPress

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Bookingpressinferred
Range: <=5.6
Package: https://wordpress.org/plugins/bookingpress
Reputeinfosystems/Bookingpressllm-fuzzy
Range: <=5.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000