Skip to content
Threat Feed
critical advisory

CVE-2026-6960: BookingPress Pro Plugin Arbitrary File Upload Leading to Potential RCE

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in versions up to 5.6, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution if a signature custom field is added to the booking form.

The BookingPress Pro plugin, a WordPress plugin, is susceptible to an arbitrary file upload vulnerability (CVE-2026-6960) affecting versions up to and including 5.6. This vulnerability arises from the absence of file type validation in the ‘bookingpress_validate_submitted_booking_form_func’ function. This allows unauthenticated attackers to upload malicious files to the affected WordPress server. Successful exploitation could enable remote code execution (RCE), granting the attacker control over the compromised system. The exploit requires that the WordPress admin must have added a signature custom field to the booking form.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of BookingPress Pro (<= 5.6) with a signature custom field.
  2. The attacker crafts a malicious file, such as a PHP script, designed to execute arbitrary commands on the server.
  3. The attacker sends an HTTP POST request to the WordPress site’s booking form endpoint.
  4. The POST request includes the malicious file disguised as a valid file type in the signature custom field.
  5. Due to the missing file type validation in the ‘bookingpress_validate_submitted_booking_form_func’ function, the server accepts the uploaded file.
  6. The attacker accesses the uploaded file via a direct HTTP request to its location within the WordPress uploads directory.
  7. The web server executes the malicious PHP script, allowing the attacker to run arbitrary commands on the server.
  8. The attacker establishes a persistent backdoor or performs other malicious activities, such as data exfiltration or defacement.

Impact

Successful exploitation of CVE-2026-6960 can lead to arbitrary file upload, which can result in remote code execution on the WordPress server. This allows an unauthenticated attacker to gain full control over the affected system, potentially compromising sensitive data, defacing the website, or using the server for further malicious activities. The severity of the impact depends on the permissions of the web server user and the security configuration of the WordPress installation.

Recommendation

  • Upgrade the BookingPress Pro plugin to the latest version (greater than 5.6) to patch CVE-2026-6960.
  • Deploy the Sigma rule “Detect CVE-2026-6960 BookingPress Pro Arbitrary File Upload” to detect exploitation attempts in web server logs.
  • Monitor WordPress upload directories for suspicious file types and filenames.
  • Implement strong file type validation on all file upload forms to prevent arbitrary file uploads.

Detection coverage 2

Detect CVE-2026-6960 BookingPress Pro Arbitrary File Upload

high

Detects CVE-2026-6960 exploitation — HTTP POST request to a WordPress site with a file upload in a custom field, potentially indicative of arbitrary file upload attempts in BookingPress Pro.

sigma tactics: initial_access techniques: T1189 sources: webserver

Detect Suspicious File Uploads to WordPress Uploads Directory

high

Detects creation of suspicious files (e.g., PHP scripts) within the WordPress uploads directory, which may indicate successful arbitrary file upload exploitation.

sigma tactics: persistence techniques: T1505.003 sources: file_event, linux

Detection queries are available on the platform. Get full rules →