CVE-2026-6960: Unauthenticated Arbitrary File Upload in BookingPress Pro for WordPress

"A critical (CVSS 9.8) flaw in the BookingPress Pro WordPress plugin lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution on affected sites."

A critical (CVSS 9.8) flaw in the BookingPress Pro WordPress plugin lets unauthenticated attackers upload arbitrary files, potentially leading to remote code execution on affected sites.

What Is It

CVE-2026-6960 is an arbitrary file upload vulnerability (CWE-434) in the BookingPress Pro plugin for WordPress. The root cause is missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Because the attack vector is network-based, requires no privileges, and needs no user interaction, an unauthenticated remote attacker can submit malicious files directly through the booking form. The vulnerability only triggers when a signature custom field has been added to the booking form, which is a common configuration for sites collecting customer consent.

Why It Matters

With a CVSS 3.1 base score of 9.8 (CRITICAL) and a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this vulnerability carries high impact across confidentiality, integrity, and availability. Successful exploitation may enable remote code execution, giving attackers full control of the underlying web server. Arbitrary file upload bugs in widely deployed WordPress plugins are historically a favorite target for opportunistic mass exploitation, web shell deployment, and downstream site defacement or pivoting. There is no current CISA KEV listing confirming active in-the-wild exploitation at the time of disclosure.

What's Vulnerable

Product: BookingPress Pro plugin for WordPress
Affected versions: All versions up to and including 5.6
Precondition: A signature custom field must be present on the booking form for the bug to be exploitable
Vulnerable function: bookingpress_validate_submitted_booking_form_func

Patch Status

The NVD record (published 2026-05-21, status: Received) does not specify a fixed version. Administrators running BookingPress Pro should consult the vendor and the Wordfence Threat Intelligence advisory for the patched release. Until a confirmed fix is applied, mitigations include removing any signature custom fields from booking forms, restricting plugin access at the web server or WAF layer, and auditing the WordPress uploads directory for unexpected files such as PHP scripts.

Sources

NVD, CVE-2026-6960: https://nvd.nist.gov/vuln/detail/CVE-2026-6960
Wordfence Threat Intelligence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/ed738dc5-7848-4b04-a3fd-317cc366acfa?source=cve
BookingPress vendor site: https://www.bookingpressplugin.com/