Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-6960: BookingPress Pro plugin allows malicious file uploads on WordPress sites
CVE-2026-6960
Summary
The BookingPress Pro plugin for WordPress is vulnerable to malicious file uploads, which could allow an attacker to potentially execute code remotely. This issue affects all versions up to 5.6. To protect your site, update the plugin to a fixed version or remove it if possible.
Original title
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all vers...
Original description
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
nvd CVSS3.1
9.8
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 21 May 2026 · Updated: 30 May 2026 · First seen: 21 May 2026