Unauthenticated path traversal exfiltrates server files via booking emails
TL;DR - Salon Booking System (WordPress plugin) <= 10.30.25: the public booking flow accepts attacker-controlled file-field values, stores them, then uses those stored values as filesystem paths when building email attachments. No authentication required. Submit a booking, get a file. CVSS 7.5.
What happened
Salon Booking System is a WordPress appointment booking plugin with a public-facing booking flow and confirmation email delivery.
CVE-2026-6320 is an unauthenticated arbitrary file read. The booking form accepts attacker-supplied values in a file field. The plugin stores those values and later treats them as trusted filesystem paths when attaching files to booking confirmation emails. The attacker submits a path, the plugin reads that path, and the confirmation email delivers the file contents to whatever address was specified in the booking.
The exfiltration channel is baked in - no secondary step needed.
| Item | Detail |
|---|---|
| Affected component | Salon Booking System - Free Version (WordPress plugin) |
| Affected versions | <= 10.30.25 |
| Primitive | Unauthenticated arbitrary file read via attachment path reuse |
| CWE | CWE-22 (Path Traversal) |
| Severity | CVSS 3.1 7.5 (High) |
| Disclosed | 2026-05-01T21:28:03Z |
File read bugs in WordPress plugins rarely stay contained. Leaking wp-config.php, backup archives, or .env files typically cascades into credential theft and follow-on access. The difference here is the exfil is automatic - the plugin emails the file without any further attacker interaction.
Who is impacted
- WordPress sites running
Salon Booking System - Free Versionat versions<= 10.30.25. - Any deployment exposing the plugin's public booking flow to the internet - the standard configuration for a booking system.
- Highest risk where booking confirmation emails are enabled and the web server process can read sensitive files (database credentials, API tokens, cloud keys) from disk.
What to do now
- Update the plugin. The CVE record flags all versions
<= 10.30.25as affected. The WordPress.org changelog lists10.30.26with a generic "Vulnerability fix" entry, but it does not explicitly reference CVE-2026-6320. Use the CVE version scoping for impact assessment and verify against vendor release notes in your own environment. - Inventory your WordPress estate for the
salon-booking-systemplugin and confirm installed versions. - Treat this as a potential data exposure incident:
- Review mail-sending logs - plugin-level, SMTP provider, or MTA logs - for booking confirmations with unexpected or suspicious attachments.
- Review web server logs for booking submissions that reference filesystem paths in file-related fields.
- If you suspect exploitation, rotate any credentials readable by the WordPress process: database passwords, SMTP credentials, API tokens, and third-party integration keys.
- Apply your standard incident response process before assuming the worst - but don't wait for confirmation before rotating credentials.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.