The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the bookingpress_process_upload function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected sites server, enabling remote code execution.