CRITICAL
Repute Infosystems
CVE published 2026-05-21
CVE-2026-6960
CVE-2026-6960 is a critical arbitrary file upload issue in the BookingPress Pro WordPress plugin. The flaw stems from missing file type validation in the bookingpress_validate_submitted_booking_form_func function, and it affects all versions up to and including 5.6. Because the upload path is reachable without authentication, attackers could upload arbitrary files to the server; the public description not [truncated]