{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bookingpress-pro-plugin--5.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6960"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BookingPress Pro plugin \u003c= 5.6"],"_cs_severities":["critical"],"_cs_tags":["wordpress","arbitrary-file-upload","rce","plugin","CVE-2026-6960","webserver"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe BookingPress Pro plugin, a WordPress plugin, is susceptible to an arbitrary file upload vulnerability (CVE-2026-6960) affecting versions up to and including 5.6. This vulnerability arises from the absence of file type validation in the \u0026lsquo;bookingpress_validate_submitted_booking_form_func\u0026rsquo; function. This allows unauthenticated attackers to upload malicious files to the affected WordPress server. Successful exploitation could enable remote code execution (RCE), granting the attacker control over the compromised system. The exploit requires that the WordPress admin must have added a signature custom field to the booking form.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of BookingPress Pro (\u0026lt;= 5.6) with a signature custom field.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file, such as a PHP script, designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the WordPress site\u0026rsquo;s booking form endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the malicious file disguised as a valid file type in the signature custom field.\u003c/li\u003e\n\u003cli\u003eDue to the missing file type validation in the \u0026lsquo;bookingpress_validate_submitted_booking_form_func\u0026rsquo; function, the server accepts the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded file via a direct HTTP request to its location within the WordPress uploads directory.\u003c/li\u003e\n\u003cli\u003eThe web server executes the malicious PHP script, allowing the attacker to run arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a persistent backdoor or performs other malicious activities, such as data exfiltration or defacement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6960 can lead to arbitrary file upload, which can result in remote code execution on the WordPress server. This allows an unauthenticated attacker to gain full control over the affected system, potentially compromising sensitive data, defacing the website, or using the server for further malicious activities. The severity of the impact depends on the permissions of the web server user and the security configuration of the WordPress installation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the BookingPress Pro plugin to the latest version (greater than 5.6) to patch CVE-2026-6960.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-6960 BookingPress Pro Arbitrary File Upload\u0026rdquo; to detect exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress upload directories for suspicious file types and filenames.\u003c/li\u003e\n\u003cli\u003eImplement strong file type validation on all file upload forms to prevent arbitrary file uploads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T22:17:47Z","date_published":"2026-05-21T22:17:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6960-bookingpress-rce/","summary":"The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in versions up to 5.6, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution if a signature custom field is added to the booking form.","title":"CVE-2026-6960: BookingPress Pro Plugin Arbitrary File Upload Leading to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6960-bookingpress-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — BookingPress Pro Plugin \u003c= 5.6","version":"https://jsonfeed.org/version/1.1"}