CVE Catalog

CVE-2026-6960

Critical
Published: Translated: NVD NIST

Summary

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to and including 5.6. This allows unauthenticated attackers to upload arbitrary files on the affected site's server.

Risk Assessment

This vulnerability may lead to remote code execution, posing a serious threat to the server's security and user data. Attackers can exploit this flaw if a signature custom field is added to the booking form.

Recommendation

It is recommended to update the BookingPress Pro plugin to the latest version to mitigate this vulnerability. Additionally, implementing further validation mechanisms for uploaded files is advisable.

Original NVD description (English source)

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS