{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/salon-booking-system--free-version-plugin-for-wordpress--10.30.25/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6320"}],"_cs_exploited":false,"_cs_products":["Salon Booking System – Free Version plugin for WordPress \u003c= 10.30.25"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-read","wordpress","plugin-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Salon Booking System – Free Version plugin for WordPress, versions up to and including 10.30.25, contains an arbitrary file read vulnerability. This flaw stems from the plugin\u0026rsquo;s public booking flow, where it accepts attacker-controlled file-field values. These values are subsequently used as trusted paths when creating email attachments for booking confirmations. This allows an unauthenticated attacker to supply a path to any file accessible to the web server, triggering its inclusion as an attachment in the booking confirmation email, effectively enabling arbitrary file exfiltration. Exploitation requires no authentication and can be triggered remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the public booking form of a WordPress site running the vulnerable Salon Booking System plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to the booking form, injecting a file path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e) into a file-field parameter.\u003c/li\u003e\n\u003cli\u003eThe plugin processes the booking request and stores the attacker-supplied file path.\u003c/li\u003e\n\u003cli\u003eThe plugin generates a booking confirmation email.\u003c/li\u003e\n\u003cli\u003eThe plugin uses the stored, attacker-controlled file path to attach the specified file to the confirmation email.\u003c/li\u003e\n\u003cli\u003eThe booking confirmation email, now containing the arbitrary file as an attachment, is sent to the user who initiated the booking (which could be the attacker or an unwitting third party).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the email (if sent to the attacker) or intercepts it (if sent to a third party) and extracts the attached file.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the contents of the exfiltrated file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to read arbitrary files from the affected WordPress server. This could lead to the disclosure of sensitive information, such as configuration files, database credentials, or other confidential data. The vulnerability affects versions of the Salon Booking System plugin up to and including 10.30.25. The number of affected WordPress installations is unknown, but could be substantial given the plugin\u0026rsquo;s popularity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Salon Booking System plugin to the latest version to patch CVE-2026-6320.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for suspicious requests containing absolute or relative file paths in file-field parameters, using a detection rule similar to the ones provided below.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, especially file paths.\u003c/li\u003e\n\u003cli\u003eReview and restrict file system permissions to limit the files accessible to the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-wordpress-arbitrary-file-read/","summary":"The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.","title":"Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-arbitrary-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Salon Booking System – Free Version Plugin for WordPress \u003c= 10.30.25","version":"https://jsonfeed.org/version/1.1"}