A critical arbitrary file upload vulnerability in the BookingPress Pro plugin for WordPress poses a severe risk of unauthenticated remote code execution.

The vulnerability exists due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function. This allows an unauthenticated attacker to upload malicious files, specifically if a signature custom field is enabled on the booking form, leading to potential remote code execution.

With a CVSS score of 9.8, this vulnerability is classified as critical. Successful exploitation provides attackers with the ability to execute arbitrary code on the underlying server, potentially leading to a complete system compromise, unauthorized access to sensitive booking data, and significant operational disruption.

Immediate Action: Update to the latest version of BookingPress Pro immediately to apply the necessary file validation patches.

Proactive Monitoring: Review web server access logs for anomalous file upload attempts or requests to unexpected file types within the plugin's upload directory.

Compensating Controls: Implement a Web Application Firewall (WAF) to block suspicious file upload requests and restrict access to the booking form interface if feasible.

Public Exploit Available: false

Given the critical severity and the ease of exploitation via the booking form, immediate patching is required. Administrators should verify their plugin version and apply updates without delay to prevent potential system-wide compromise.