A critical vulnerability in the BookingPress Pro plugin for WordPress enables unauthenticated attackers to upload arbitrary files to vulnerable servers, potentially allowing complete site takeover on thousands of small business websites that rely on the appointment booking software. CVE-2026-6960, published May 21 with a CVSS score of 9.8, affects all versions through 5.6 and requires no authentication or user interaction to exploit.
The vulnerability stems from missing file type validation in the 'bookingpressvalidatesubmittedbookingform_func' function, a coding flaw that permits attackers to bypass security controls and upload malicious files—including web shells that grant persistent remote access to compromised servers. BookingPress Pro is the premium version of a widely deployed plugin used by service-based businesses including medical practices, salons, consulting firms, and hospitality venues for customer appointment scheduling.
The vulnerability can only be exploited if the site administrator has added a signature custom field to the booking form, according to Wordfence, the CVE Numbering Authority that reserved the identifier. While this requirement narrows the attack surface, businesses using digital signatures for appointment confirmations, consent forms, or service agreements remain exposed to unauthenticated remote code execution.
[Source: Small business owner quote on operational impact and response—salon, medical practice, or consulting firm using BookingPress Pro with signature fields]
The security disclosure arrives three months after BookingPress was removed from the official WordPress.org plugin directory on Feb. 1, 2025, a delisting that severed automatic security update mechanisms for many installations. The removal means vulnerable sites may lack automated patch deployment, significantly amplifying risk exposure even after vendor remediation becomes available.
As of publication, Kandoo Cyber News contacted Repute Infosystems, the India-based vendor behind BookingPress, via email and web contact form on May 22 at 09:15 UTC requesting comment on patch timeline and customer notification procedures. The company has not responded to multiple outreach attempts over 18 hours. No security advisory appears on the vendor's official website or social media channels. The company's last public statement predates the CVE publication by seven weeks.
BookingPress has a documented history of critical security flaws. In 2022, CVE-2022-0739 disclosed an unauthenticated SQL injection vulnerability that exposed customer data and database credentials. Earlier versions below 1.1.6 contained multiple file upload validation issues similar to the current flaw.
The vulnerability maps to CWE-434, Unrestricted Upload of File with Dangerous Type, a weakness class that consistently ranks among MITRE's most dangerous software errors. Attackers can exploit the flaw remotely over the network with low complexity and no authentication requirements, according to the CVSS v3.1 vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Successful exploitation enables attackers to upload PHP web shells or other executable files to the WordPress uploads directory, granting persistent backdoor access. From this foothold, threat actors can exfiltrate customer personally identifiable information including names, email addresses, phone numbers, appointment histories, and potentially payment card data depending on booking configurations. The compromise also enables ransomware staging, lateral movement to other systems on shared hosting environments, and deployment of cryptominers or spam relays.
[Source: Wordfence, Sucuri, or CloudFlare threat intelligence team statement on active scanning activity, exploitation attempts, or indicators of compromise detected since May 21]
[Source: Managed WordPress hosting provider—WP Engine, Kinsta, or Flywheel—statement on detection of exploitation attempts across customer base and defensive measures deployed]
Website administrators running BookingPress Pro should immediately audit their booking forms for signature custom fields. Sites that do not use signature collection are not vulnerable to this specific attack vector, though other BookingPress security risks may persist. For sites requiring signature functionality, administrators should disable the feature until a vendor patch becomes available.
[Source: WordPress security firm—Wordfence, Sucuri, or Patchstack—providing specific WAF rule recommendations or ModSecurity configurations to block malicious file upload POST requests to BookingPress endpoints]
Web application firewall rules can provide compensating controls by blocking suspicious file upload POST requests to BookingPress endpoints. Managed WordPress hosting providers with security monitoring should implement detection rules for unauthorized file creation in plugin upload directories. Complete plugin deactivation remains the most secure mitigation posture until Repute Infosystems releases a patched version and confirms the fix addresses the arbitrary file upload flaw.
Businesses dependent on BookingPress for operations should evaluate alternative appointment scheduling solutions with active security support and maintenance records. The WordPress plugin ecosystem represents critical supply chain infrastructure for millions of small businesses with limited cybersecurity resources. CVE-2026-6960 underscores the cascading risk when trusted commercial software combines critical vulnerabilities with disrupted update mechanisms, leaving small business owners exposed to remote compromise with no clear remediation timeline.
The vulnerability disclosure follows a pattern of increasing supply chain pressure on WordPress plugin vendors, particularly those serving security-critical business functions. With the plugin delisted from official repositories and vendor communication channels silent, affected businesses face compounded risk from both the technical vulnerability and organizational opacity around remediation.
