Cross-Site Request Forgery Vulnerability in Salon Booking System Plugin for WordPress
CVE-2026-15070
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15070?
The Salon Booking System β Free Version plugin for WordPress exhibits a Cross-Site Request Forgery vulnerability due to inadequate nonce validation within the setCustomText function. This issue allows unauthenticated attackers to exploit the weakness and inject malicious PHP code into the translate-constants.php file. By tricking a site administrator into executing a crafted request, an attacker can achieve remote code execution on the server. Although the sanitize_text_field() function is applied to the POST 'value' parameter, it fails to neutralize certain characters that could break out of the PHP string context, thus compromising the security of the application.
Affected Version(s)
Salon Booking System β Free Version 0 <= 10.30.32