Description
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
Published: 2026-05-21
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BookingPress Pro plugin for WordPress contains a flaw that allows unauthenticated attackers to upload arbitrary files by omitting file type validation when a signature custom field is present in the booking form. This vulnerability can lead to remote code execution if an attacker places malicious payloads such as PHP scripts on the server, thereby compromising site integrity and confidentiality.

Affected Systems

Vendors affected are Repute Infosystems. The vulnerable product is BookingPress appointment booking pro, with all releases up to and including version 5.6 susceptible to this issue. Any instances of BookingPress Pro on WordPress sites that have not yet updated beyond 5.6 are at risk.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical flaw. EPSS is not available, but the absence of KEV listing does not reduce danger; the flaw remains exploitable by unauthenticated users who can submit a crafted booking form. An attacker can achieve remote code execution by uploading a web‑shell or malicious script, and the vulnerability requires only the presence of a signature custom field, which is a common configuration. Thus, immediate patching or mitigation is essential.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BookingPress Pro to version 5.7 or newer, which includes proper file‑type validation.
  • Remove signature custom fields from booking forms or restrict them to prevent file uploads for unauthenticated users.
  • If an update is not immediately possible, configure the server to reject suspicious file MIME types and restrict write permissions to the uploads directory.
  • Ensure the WordPress core and all plugins are up to date to reduce exposure to similar upload problems.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
Title BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-21T21:27:50.636Z

Reserved: 2026-04-24T14:45:46.690Z

Link: CVE-2026-6960

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:48.643

Modified: 2026-05-21T22:16:48.643

Link: CVE-2026-6960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T22:30:20Z

Weaknesses