CVE-2026-6320 Overview
CVE-2026-6320 is an arbitrary file read vulnerability in the Salon Booking System – Free Version plugin for WordPress. The flaw affects all versions up to and including 10.30.25. The public booking flow accepts attacker-controlled file-field values and later uses those stored values as trusted paths for email attachments. Unauthenticated attackers can read arbitrary local files and exfiltrate them through booking confirmation email attachments. The issue is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Unauthenticated remote attackers can exfiltrate arbitrary files from the WordPress server, including wp-config.php, by abusing the plugin's booking confirmation email attachments.
Affected Products
- Salon Booking System – Free Version plugin for WordPress
- All versions up to and including 10.30.25
- WordPress sites with the public booking flow enabled
Discovery Timeline
- 2026-05-02 - CVE-2026-6320 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-6320
Vulnerability Analysis
The vulnerability resides in how the Salon Booking System plugin handles file-field values supplied during the public booking process. The plugin accepts attacker-controlled values referencing file paths and stores them without validation. When the booking confirmation email is generated, the plugin treats those stored values as trusted local paths and attaches the referenced files to the outbound email. This design lets an unauthenticated attacker request that any file readable by the web server be attached to a booking confirmation message they receive. Sensitive targets include wp-config.php, private keys, log files, and database backups.
Root Cause
The root cause is a path traversal weakness combined with missing input validation on file-field values submitted through the booking form. The plugin fails to constrain submitted paths to a safe upload directory or verify that the path corresponds to a legitimate user-uploaded artifact. Stored values flow directly into the mail-attachment routine, where they are treated as trusted server-side paths.
Attack Vector
An unauthenticated attacker submits a crafted booking request with a file-field value pointing to a sensitive local file path. The attacker supplies a controlled email address as the booking contact. When the plugin processes the booking confirmation, it reads the referenced file and attaches it to the email sent to the attacker. The attack requires no authentication, no privileges, and no user interaction. See the Wordfence Vulnerability Analysis for additional technical context.
No verified public proof-of-concept code is available. The vulnerability mechanism is documented in the plugin changeset referenced in the WordPress Plugin Change Log.
Detection Methods for CVE-2026-6320
Indicators of Compromise
- Booking submissions containing path traversal sequences such as ../ or absolute paths like /etc/passwd or /var/www/html/wp-config.php in file-field parameters.
- Outbound emails from the WordPress site carrying attachments that match server configuration files or other non-upload paths.
- Unexpected access to sensitive files by the PHP worker process originating from booking-related endpoints.
Detection Strategies
- Inspect web server access logs for POST requests to the Salon Booking System endpoints with suspicious values in file-field parameters.
- Monitor PHP mail() and SMTP relay logs for attachments referencing paths outside the WordPress uploads directory.
- Deploy a Web Application Firewall (WAF) rule that blocks path traversal patterns in booking form submissions.
Monitoring Recommendations
- Alert on file reads of wp-config.php, .env, or /etc/ files by the web server user account.
- Track booking confirmation emails sent to newly registered or external addresses with non-zero attachment sizes.
- Correlate WordPress plugin version inventory against the affected range of 10.30.25 and earlier.
How to Mitigate CVE-2026-6320
Immediate Actions Required
- Update the Salon Booking System – Free Version plugin to a version newer than 10.30.25 once the vendor publishes a fixed release.
- Audit recent booking submissions and outbound emails for evidence of file exfiltration attempts.
- Rotate any secrets stored in wp-config.php, including database credentials and authentication keys, if compromise is suspected.
Patch Information
Review the WordPress Plugin Change Log for the patch commit that addresses this issue. Apply the fixed version as soon as it is available through the WordPress plugin repository. Verify the deployed plugin version after the update.
Workarounds
- Disable or uninstall the Salon Booking System plugin until a patched version is installed.
- Restrict file system permissions so the web server user cannot read sensitive configuration files outside the WordPress document root.
- Configure a WAF to reject booking submissions containing ../, null bytes, or absolute paths in file-field parameters.
- Disable outbound email attachments from the WordPress site at the mail transport layer until remediation is complete.
# Example WAF rule pattern to block path traversal in booking submissions
# ModSecurity-style rule (sanitized example)
SecRule ARGS "@rx (\.\./|\.\.\\|/etc/|wp-config\.php)" \
"id:1026320,phase:2,deny,status:403,msg:'CVE-2026-6320 path traversal attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
