<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Salon Booking System - Free Version Plugin for WordPress &lt;= 10.30.32 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/salon-booking-system---free-version-plugin-for-wordpress--10.30.32/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 04:21:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/salon-booking-system---free-version-plugin-for-wordpress--10.30.32/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15070: WordPress Salon Booking Plugin CSRF to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-salon-booking-rce/</link><pubDate>Fri, 10 Jul 2026 04:21:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-salon-booking-rce/</guid><description>The Salon Booking System - Free Version plugin for WordPress (versions up to and including 10.30.32) is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability stemming from a lack of nonce validation in the setCustomText function, allowing unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file, which can lead to remote code execution (RCE) on the server if an administrator is tricked into clicking a crafted link.</description><content:encoded><![CDATA[<p>The Salon Booking System - Free Version plugin for WordPress, in all versions up to and including 10.30.32, is vulnerable to Cross-Site Request Forgery (CSRF) via CVE-2026-15070. This flaw originates from missing or incorrect nonce validation within the <code>setCustomText</code> function. This allows unauthenticated attackers to inject arbitrary PHP code into the <code>translate-constants.php</code> file, which is directly accessible over the web. The vulnerability is exploitable because the <code>sanitize_text_field()</code> function, applied to the POST 'value' parameter, fails to neutralize critical characters like single quotes, parentheses, semicolons, dollar signs, and brackets. If an administrator is successfully tricked into clicking a crafted link, the attacker can achieve remote code execution on the server, posing a significant threat to the integrity and availability of the WordPress site.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious Cross-Site Request Forgery (CSRF) payload designed to target the vulnerable <code>setCustomText</code> function of the Salon Booking System plugin.</li>
<li>The attacker socially engineers an authenticated administrator of the target WordPress site to click on a crafted link (e.g., via phishing email or malicious website).</li>
<li>The administrator's browser, authenticated to the WordPress site, sends the forged POST request containing the malicious PHP code as part of the 'value' parameter.</li>
<li>Due to the absence of proper nonce validation, the WordPress site processes the request as legitimate, invoking the vulnerable <code>setCustomText</code> function.</li>
<li>The <code>setCustomText</code> function, which uses <code>sanitize_text_field()</code> on the 'value' parameter, fails to adequately neutralize PHP metacharacters within the attacker-supplied input.</li>
<li>The unneutralized arbitrary PHP code is then interpolated into a string literal and written to the <code>translate-constants.php</code> file within the plugin's directory via <code>file_put_contents()</code>.</li>
<li>The attacker then directly accesses the now-modified and web-accessible <code>translate-constants.php</code> file, causing the injected PHP code to execute on the server.</li>
<li>Remote Code Execution (RCE) is achieved, granting the attacker control over the compromised WordPress server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15070 allows unauthenticated attackers to achieve remote code execution on the compromised WordPress server. This can lead to complete compromise of the website and underlying server, including data theft, defacement, installation of malware, establishment of persistent backdoors, and further network infiltration. The severity of the impact is high, as an attacker gaining RCE can fully control the affected system, affecting all data and services hosted on it. There are no specific victim counts or sectors mentioned, but any organization using the vulnerable plugin is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the Salon Booking System - Free Version plugin for WordPress to a version patched against CVE-2026-15070 (version 10.30.33 or later).</li>
<li>Deploy the provided Sigma rule to your webserver logs to detect attempts to exploit CVE-2026-15070.</li>
<li>Configure web application firewalls (WAFs) to block requests to <code>/wp-admin/admin-ajax.php</code> that contain common PHP code injection patterns in POST parameters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-exploitation</category><category>vulnerability</category><category>wordpress</category><category>rce</category><category>csrf</category></item></channel></rss>