CVE-2026-6960
published 2026-05-21CVE-2026-6960: The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.67%
47.4th percentile
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| repute_infosystems | bookingpress_appointment_booking_pro | <= 5.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Repute Infosystems BookingPress Appointment Booking Pro Plugin up to 5.6 on WordPress bookingpress_validate_submitted_booking_form_func unrestricted upload (EUVD-2026-31367)
vuldb·2026-05-23·CVSS 9.8
CVE-2026-6960 [CRITICAL] Repute Infosystems BookingPress Appointment Booking Pro Plugin up to 5.6 on WordPress bookingpress_validate_submitted_booking_form_func unrestricted upload (EUVD-2026-31367)
A vulnerability classified as critical has been found in Repute Infosystems BookingPress Appointment Booking Pro Plugin up to 5.6 on WordPress. Affected by this issue is the function bookingpress_validate_submitted_booking_form_func. Performing a manipulation results in unrestricted upload.
This vulnerability is identified as CVE-2026-6960. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-qf4r-cjjc-2864: The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_su
ghsa_unreviewed·2026-05-22
CVE-2026-6960 [CRITICAL] CWE-434 GHSA-qf4r-cjjc-2864: The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_su
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-21
Published