Arbitrary File Upload Vulnerability in BookingPress Pro by WordPress
CVE-2026-6960

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Bookingpress Appointment Booking Pro
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-6960?

The BookingPress Pro plugin for WordPress contains a vulnerability that allows for arbitrary file uploads due to inadequate file type validation in the 'bookingpress_validate_submitted_booking_form_func' function. This vulnerability affects all versions up to and including 5.6. Without proper safeguards, unauthenticated attackers can exploit this flaw to upload arbitrary files to the server, potentially enabling remote code execution. Exploitation is contingent upon the inclusion of a signature custom field in the booking form, making it crucial for site administrators to apply necessary patches and upgrade to secure versions.

Affected Version(s)

BookingPress Appointment Booking Pro 0 <= 5.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.bookingpressplugin.com/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Phú

CVE-2026-6960 Data

JSON