External risk intelligence

WordPress BookingPress plugin allows attackers to upload harmful files enabling remote control

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-6960

The BookingPress Pro WordPress plugin has a flaw allowing attackers to upload any file, potentially giving them control of your website's server. This is a critical risk for sites using booking forms with a signature field.

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2026-6960

The vulnerability exists in a WordPress booking plugin designed for public-facing forms. Since these forms are intended to accept external user input, they are routinely exposed to the public internet as part of standard web application deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A flaw in the BookingPress Pro WordPress plugin allows unauthenticated attackers to upload arbitrary files. This is concerning because such uploads could potentially lead to the execution of malicious code on your website's server.

  • Attackers can upload any file type.
  • This impacts sites using specific booking forms.
  • Remote code execution is a possible outcome.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can upload arbitrary files to a WordPress site by exploiting a weakness in the BookingPress Pro plugin. This is possible if the site has a booking form with a signature custom field enabled, allowing the attacker to upload a web shell or other malicious file for remote code execution.

  • No authentication required.
  • Targets booking forms.
  • Requires signature custom field.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to target this vulnerability because it exists in a widely used WordPress plugin that handles public-facing forms, creating a broad attack surface. The potential for arbitrary file uploads can lead to remote code execution, a highly desirable outcome for attackers. While the vulnerability is present, its exploitation requires an additional conditional setup: the addition of a signature custom field to the booking form.

  • Exploitable with unauthenticated access.
  • Public exploit code is available.
  • Vulnerability is recent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking network access to BookingPress Pro instances that have signature custom fields enabled. Actively scan for signs of unauthorized file uploads, especially in WordPress logs and web server access logs. If exploitation is detected, immediately isolate the affected WordPress sites from the network to prevent further compromise.

  • Identify and block external traffic.
  • Monitor for malicious file uploads.
  • Isolate affected services if exploited.

Frequently asked questions

What is the BookingPress Pro WordPress plugin and its purpose?

BookingPress Pro is a WordPress plugin designed for creating and managing online booking forms. It enables website owners to handle appointments, reservations, and other scheduling-related services directly through their website.

What type of vulnerability does CVE-2026-6960 represent?

CVE-2026-6960 is classified as an arbitrary file upload vulnerability (CWE-434). This weakness allows attackers to upload any file type to the server, bypassing normal security restrictions that would limit uploads to specific, permitted file types, potentially enabling malicious code execution.

How can an attacker exploit CVE-2026-6960 in BookingPress Pro?

An unauthenticated attacker can exploit this vulnerability by uploading arbitrary files to the affected WordPress site's server. This is achievable if the site uses a booking form with a signature custom field enabled, which can then be used to upload malicious files like web shells for remote code execution.

What makes this vulnerability relevant for potential exploitation?

This vulnerability is considered relevant due to its presence in a popular WordPress plugin that handles public-facing forms, creating a significant attack surface. The potential for arbitrary file uploads leading to remote code execution is a highly attractive outcome for attackers. While exploitation is possible, it requires the specific condition of a signature custom field being added to the booking form.

What are the recommended actions to mitigate the risk of CVE-2026-6960?

To mitigate this risk, it is recommended to block network access to BookingPress Pro instances that have signature custom fields enabled. Actively monitor WordPress and web server logs for any signs of unauthorized file uploads. If exploitation is detected, immediately isolate the compromised WordPress sites from the network to prevent further compromise.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified