Salon Booking System – Free Version < 10.30.26 – Unauthenticated Arbitrary File Read via Booking File Field Path Traversal | CVE 2026-6320 | Plugin Vulnerabilities

Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.

Affects Plugins

salon-booking-system

Fixed in 10.30.26

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

6cc2d4fe-ec1c-432f-b0cb-daab1ff44e02

Timeline

Publicly Published

2026-05-01 (about 1 month ago)

Added

2026-05-01 (about 1 month ago)

Last Updated

2026-05-02 (about 1 month ago)

Other

Published

Title

Published

2026-06-12

Title

WS Optimize – All-in-One Speed Booster & Cache Tools < 3.3.20 - Authenticated (Editor+) Arbitrary File Read

Published

2026-04-21

Title

Contact Form Extender for Divi – Submissions DB & Extra Fields < 1.0.7 - Unauthenticated Arbitrary File Deletion

Published

2024-04-05

Title

Media Library Folders < 8.1.9 - Authenticated (Author+) Directory Traversal

Published

2014-08-01

Title

BookX 1.7 - includes/bookx_export.php file Parameter Remote Path Traversal File Access

Published

2024-03-14

Title

HT Mega – Absolute Addons For Elementor < 2.4.7 - Contributor+ Directory Traversal