CVE-2026-6960

Name of the Vulnerable Software and Affected Versions BookingPress Pro versions prior to 5.7

Description The BookingPress Pro plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the server, which may lead to remote code execution. This occurs due to missing file type validation within the bookingpress validate submitted booking form func() function. Exploitation is only possible if a signature custom field has been added to the booking form.

Recommendations Update to a version later than 5.6. As a temporary workaround, remove the signature custom field from the booking form to prevent exploitation.