Description
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.
Published: 2026-05-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Salon Booking System – Free Version plugin for WordPress is vulnerable to an arbitrary file read flaw that arises from the public booking flow admitting user‑controlled file‑field values, which are later treated as trusted paths for email attachments. This design flaw allows path traversal, supplying a likely attack vector that exploits the publicly accessible booking endpoint without authentication, enabling an attacker to read any file on the server and exfiltrate it via booking confirmation email attachments.

Affected Systems

The flaw affects WordPress sites running the Salon Booking System – Free Version plugin with versions 10.30.25 and earlier. No specific manufacturer beyond the WordPress plugin is indicated beyond the vendor/brand name used by the CNA.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑high severity, reflecting the ability to read sensitive files. No EPSS score is available, so the current exploitation probability cannot be quantified. The vulnerability is not yet listed in CISA’s KEV catalog, suggesting no known public exploits, though the flaw permits unauthenticated compromise and data exfiltration. Attackers would likely exploit the public booking flow to supply a path‑traversal string, trigger the email attachment generation, and receive the file contents via the resulting email.

Generated by OpenCVE AI on May 2, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Salon Booking System – Free Version plugin to the latest available release (10.30.26 or newer), which removes the vulnerable file‑path handling.
  • Disable the booking functionality temporarily or restrict its usage to authenticated users while awaiting the plugin update.
  • Sanitize the file attachment field server‑side, ensuring paths are confined within a whitelisted directory to prevent traversal attacks.
  • Change the permissions of the booking attachment directory to restrict read/write access to only the necessary application processes, blocking arbitrary file reads by the web server.

Generated by OpenCVE AI on May 2, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.
Title Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:11.330Z

Reserved: 2026-04-14T20:18:15.555Z

Link: CVE-2026-6320

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:16.750

Modified: 2026-05-02T12:16:16.750

Link: CVE-2026-6320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T13:00:06Z

Weaknesses