Description
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
Published: 2026-05-21
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BookingPress Pro plugin for WordPress contains a flaw that allows unauthenticated attackers to upload arbitrary files by omitting file type validation when a signature custom field is present in the booking form. This vulnerability can lead to remote code execution if an attacker places malicious payloads such as PHP scripts on the server, thereby compromising site integrity and confidentiality.

Affected Systems

Vendors affected are Repute Infosystems. The vulnerable product is BookingPress appointment booking pro, with all releases up to and including version 5.6 susceptible to this issue. Any instances of BookingPress Pro on WordPress sites that have not yet updated beyond 5.6 are at risk.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical flaw. EPSS is not available, but the absence of KEV listing does not reduce danger; the flaw remains exploitable by unauthenticated users who can submit a crafted booking form. An attacker can achieve remote code execution by uploading a web‑shell or malicious script, and the vulnerability requires only the presence of a signature custom field, which is a common configuration. Thus, immediate patching or mitigation is essential.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BookingPress Pro to version 5.7 or newer, which includes proper file‑type validation.
  • Remove signature custom fields from booking forms or restrict them to prevent file uploads for unauthenticated users.
  • If an update is not immediately possible, configure the server to reject suspicious file MIME types and restrict write permissions to the uploads directory.
  • Ensure the WordPress core and all plugins are up to date to reduce exposure to similar upload problems.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Repute Infosystems
Repute Infosystems bookingpress Appointment Booking Pro
Wordpress
Wordpress wordpress
Vendors & Products Repute Infosystems
Repute Infosystems bookingpress Appointment Booking Pro
Wordpress
Wordpress wordpress

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
Title BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Repute Infosystems Bookingpress Appointment Booking Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-22T18:38:59.865Z

Reserved: 2026-04-24T14:45:46.690Z

Link: CVE-2026-6960

cve-icon Vulnrichment

Updated: 2026-05-22T18:38:56.585Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T22:16:48.643

Modified: 2026-05-22T15:50:24.953

Link: CVE-2026-6960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:38:26Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type