PatchSiren cyber security CVE debrief

CVE-2026-6960 Repute Infosystems CVE debrief

CVE-2026-6960 is a critical arbitrary file upload issue in the BookingPress Pro WordPress plugin. The flaw stems from missing file type validation in the bookingpress_validate_submitted_booking_form_func function, and it affects all versions up to and including 5.6. Because the upload path is reachable without authentication, attackers could upload arbitrary files to the server; the public description notes this may lead to remote code execution. One important constraint is that the issue can only be exploited if a signature custom field has been added to the booking form.

Vendor: Repute Infosystems
Product: BookingPress Appointment Booking Pro
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-21
Original CVE updated: 2026-05-21
Advisory published: 2026-05-21
Advisory updated: 2026-05-21

Who should care

WordPress administrators running BookingPress Pro, site owners who use booking forms with signature custom fields, managed hosting providers, and security teams responsible for monitoring file upload paths and plugin exposure.

Technical summary

According to the supplied NVD/Wordfence-derived record, the vulnerability is an unauthenticated arbitrary file upload caused by missing file type validation in bookingpress_validate_submitted_booking_form_func. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, matching a critical-severity exposure. The weakness is classified as CWE-434. The exploit condition is narrower than the CVSS rating alone suggests: a signature custom field must be present in the booking form for the vulnerable path to be reachable.

Defensive priority

High. Treat as urgent for any exposed BookingPress Pro installation that uses signature custom fields, because unauthenticated file upload can create a direct path to server compromise.

Recommended defensive actions

Identify WordPress sites running BookingPress Pro and confirm whether any booking form includes a signature custom field.
If the signature custom field is not required, remove or disable it until a fixed version is available.
Monitor vendor and Wordfence advisories for a patched release and update immediately once a fix is published.
Review web server and WordPress upload directories for unexpected files, especially around booking submission workflows.
Check access logs and application logs for suspicious booking form submissions and anomalous file upload activity.
Apply compensating controls such as WAF rules, upload restrictions, and least-privilege permissions on writable directories.

Evidence notes

The debrief is based only on the supplied CVE description and official links. The CVE was published and modified at 2026-05-21T22:16:48.643Z. The supplied record cites Wordfence as the source of the vulnerability information and references the BookingPress site and Wordfence advisory. No fixed version, exploitation in the wild, or vendor patch details were provided in the corpus.

Official resources

Publicly disclosed on 2026-05-21. The supplied record does not include coordinated disclosure details beyond the publication timestamp and linked advisory sources.