Cross-Site Request Forgery Vulnerability in Salon Booking System Plugin for WordPress
CVE-2026-15070

8.8HIGH

What is CVE-2026-15070?

The Salon Booking System – Free Version plugin for WordPress exhibits a Cross-Site Request Forgery vulnerability due to inadequate nonce validation within the setCustomText function. This issue allows unauthenticated attackers to exploit the weakness and inject malicious PHP code into the translate-constants.php file. By tricking a site administrator into executing a crafted request, an attacker can achieve remote code execution on the server. Although the sanitize_text_field() function is applied to the POST 'value' parameter, it fails to neutralize certain characters that could break out of the PHP string context, thus compromising the security of the application.

Affected Version(s)

Salon Booking System – Free Version 0 <= 10.30.32

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Afifudin Maarif
.