🚨 BREAKING

BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-434
BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload

The National Vulnerability Database has disclosed CVE-2026-6960, a critical arbitrary file upload vulnerability in the BookingPress Pro plugin for WordPress. Affecting all versions up to and including 5.6, this flaw stems from a lack of file type validation within the bookingpress_validate_submitted_booking_form_func function. This oversight allows unauthenticated attackers to upload arbitrary files to the server.

The critical aspect here is that this vulnerability can lead to remote code execution (RCE). While it requires a custom signature field to be present in the booking form for exploitation, this is a common configuration in many booking systems. The CVSS score of 9.8 (Critical) underscores the severity, indicating a network-exploitable vulnerability with no authentication required, leading to complete compromise of confidentiality, integrity, and availability.

For defenders, this means a direct path to server compromise if the specific conditions are met. Attackers are constantly scanning for plugins like this, especially those with high install bases. The unauthenticated nature of the exploit significantly broadens the attack surface, making it a prime target for automated exploitation. The attacker’s calculus is simple: find an exposed WordPress site with this plugin, confirm the custom field, and gain RCE.

What This Means For You

  • If your organization uses the BookingPress Pro plugin for WordPress, you must immediately patch to a version beyond 5.6. Furthermore, audit your booking forms to determine if a signature custom field is in use, as this is a prerequisite for exploitation. Prioritize patching this critical vulnerability to prevent unauthenticated remote code execution on your web servers.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1505.003 Server Software Component Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

BookingPress Pro Unauthenticated File Upload - CVE-2026-6960

Sigma YAML — free preview 
title: BookingPress Pro Unauthenticated File Upload - CVE-2026-6960
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-6960 by targeting the bookingpress_validate_submitted_booking_form_func AJAX action in the BookingPress Pro WordPress plugin. This action is vulnerable to unauthenticated arbitrary file uploads, potentially leading to remote code execution. This rule specifically looks for the POST request to admin-ajax.php with the relevant action parameter.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6960/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'action=bookingpress_validate_submitted_booking_form_func'
      # The actual file upload content would be in the request body, which is not directly accessible in standard webserver logs. 
      # However, the presence of this specific AJAX action and method is highly indicative of the exploit attempt.
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6960 RCE BookingPress Pro plugin for WordPress versions <= 5.6
CVE-2026-6960 Arbitrary File Upload BookingPress Pro plugin for WordPress, function: 'bookingpress_validate_submitted_booking_form_func'
CVE-2026-6960 Missing File Type Validation BookingPress Pro plugin for WordPress, requires 'signature custom field' in booking form

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 22, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-22678 — The Email Template Description Field Of The System And Serve Cross-Site Scripting (XSS)

CVE-2026-22678 — Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)

CVE-2026-47102 — LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 2 Sigma

LiteLLM Privilege Escalation Via API Key Misconfiguration (CVE-2026-47101)

CVE-2026-47101 — LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When...

vulnerabilityCVEhigh-severityprivilege-escalationcwe-863
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma