{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/salon-booking-system---free-version-plugin-for-wordpress--10.30.32/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Salon Booking System - Free Version plugin for WordPress \u003c= 10.30.32"],"_cs_severities":["high"],"_cs_tags":["web-exploitation","vulnerability","wordpress","rce","csrf"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Salon Booking System - Free Version plugin for WordPress, in all versions up to and including 10.30.32, is vulnerable to Cross-Site Request Forgery (CSRF) via CVE-2026-15070. This flaw originates from missing or incorrect nonce validation within the \u003ccode\u003esetCustomText\u003c/code\u003e function. This allows unauthenticated attackers to inject arbitrary PHP code into the \u003ccode\u003etranslate-constants.php\u003c/code\u003e file, which is directly accessible over the web. The vulnerability is exploitable because the \u003ccode\u003esanitize_text_field()\u003c/code\u003e function, applied to the POST 'value' parameter, fails to neutralize critical characters like single quotes, parentheses, semicolons, dollar signs, and brackets. If an administrator is successfully tricked into clicking a crafted link, the attacker can achieve remote code execution on the server, posing a significant threat to the integrity and availability of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious Cross-Site Request Forgery (CSRF) payload designed to target the vulnerable \u003ccode\u003esetCustomText\u003c/code\u003e function of the Salon Booking System plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker socially engineers an authenticated administrator of the target WordPress site to click on a crafted link (e.g., via phishing email or malicious website).\u003c/li\u003e\n\u003cli\u003eThe administrator's browser, authenticated to the WordPress site, sends the forged POST request containing the malicious PHP code as part of the 'value' parameter.\u003c/li\u003e\n\u003cli\u003eDue to the absence of proper nonce validation, the WordPress site processes the request as legitimate, invoking the vulnerable \u003ccode\u003esetCustomText\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esetCustomText\u003c/code\u003e function, which uses \u003ccode\u003esanitize_text_field()\u003c/code\u003e on the 'value' parameter, fails to adequately neutralize PHP metacharacters within the attacker-supplied input.\u003c/li\u003e\n\u003cli\u003eThe unneutralized arbitrary PHP code is then interpolated into a string literal and written to the \u003ccode\u003etranslate-constants.php\u003c/code\u003e file within the plugin's directory via \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then directly accesses the now-modified and web-accessible \u003ccode\u003etranslate-constants.php\u003c/code\u003e file, causing the injected PHP code to execute on the server.\u003c/li\u003e\n\u003cli\u003eRemote Code Execution (RCE) is achieved, granting the attacker control over the compromised WordPress server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15070 allows unauthenticated attackers to achieve remote code execution on the compromised WordPress server. This can lead to complete compromise of the website and underlying server, including data theft, defacement, installation of malware, establishment of persistent backdoors, and further network infiltration. The severity of the impact is high, as an attacker gaining RCE can fully control the affected system, affecting all data and services hosted on it. There are no specific victim counts or sectors mentioned, but any organization using the vulnerable plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Salon Booking System - Free Version plugin for WordPress to a version patched against CVE-2026-15070 (version 10.30.33 or later).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your webserver logs to detect attempts to exploit CVE-2026-15070.\u003c/li\u003e\n\u003cli\u003eConfigure web application firewalls (WAFs) to block requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e that contain common PHP code injection patterns in POST parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T04:21:36Z","date_published":"2026-07-10T04:21:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-salon-booking-rce/","summary":"The Salon Booking System - Free Version plugin for WordPress (versions up to and including 10.30.32) is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability stemming from a lack of nonce validation in the setCustomText function, allowing unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file, which can lead to remote code execution (RCE) on the server if an administrator is tricked into clicking a crafted link.","title":"CVE-2026-15070: WordPress Salon Booking Plugin CSRF to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-salon-booking-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Salon Booking System - Free Version Plugin for WordPress \u003c= 10.30.32","version":"https://jsonfeed.org/version/1.1"}