Product
The Salon Booking System - Free Version plugin for WordPress (versions up to and including 10.30.32) is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability stemming from a lack of nonce validation in the setCustomText function, allowing unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file, which can lead to remote code execution (RCE) on the server if an administrator is tricked into clicking a crafted link.