Security Alert Summary
The BookingPress Pro plugin for WordPress contains an arbitrary file upload vulnerability in the bookingpress_validate_submitted_booking_form_func function in all versions up to and including 5.6. An unauthenticated attacker can upload arbitrary files when a signature custom field is present on a booking form, which may allow remote code execution on affected servers.
CVE Details
- CVE ID:
CVE-2026-6960 - Affected component: BookingPress Pro plugin for WordPress
- Affected versions: All versions up to and including 5.6
- Published: May 21, 2026 at 10:16:48 PM UTC
- Last modified: May 21, 2026 at 10:16:48 PM UTC
- CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Authentication / Privileges / User interaction: None required (Network vector, No privileges required, No user interaction)
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)
Technical Details
The vulnerability exists because the bookingpress_validate_submitted_booking_form_func function does not perform proper file type validation before accepting uploaded files. When a signature custom field is added to a booking form, the plugin can accept and store uploaded files without restricting file types or verifying allowed MIME types and extensions.
Because there is no authentication or privilege requirement to reach the vulnerable code path, an unauthenticated attacker can attempt to upload arbitrary files to the site. The CVE description indicates that successful uploads may make remote code execution possible if an attacker can upload executable content to a web-accessible location.
No additional functions, REST endpoints, or checks beyond the named validation function are referenced in the available information.
How This Could Impact Your Website
Consider a realistic scenario: a site owner publishes a booking form that includes a signature custom field to collect client signatures. An external visitor, or an automated attacker, submits the booking form with a malicious file attached. Because the plugin does not validate file types, that file can be stored on the server. If the uploaded file is an executable web payload and is placed in a web-accessible location, an attacker could run that code on the server.
Practical consequences include exposure of internal data and increased risk of targeted attacks. For example, internal staff or contractors listed in the site user database could have their email addresses accessed and used for phishing or social engineering. The issue increases risk to site integrity and availability rather than being limited to simple data disclosure.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Remove or avoid adding a signature custom field on booking forms until the plugin is confirmed patched.
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that may be able to submit content.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes.
- Monitor site activity and file uploads for unusual behavior, and scan uploaded files for dangerous content.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
