Arbitrary File Read Vulnerability in Salon Booking System by WordPress
CVE-2026-6320

7.5HIGH

Key Information:

Vendor: WordPress
Status: Salon Booking System – Free Version
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-6320?

The Salon Booking System - Free Version plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit the public booking flow. This vulnerability arises when the plugin accepts attacker-controlled values for file fields, which are later used as trusted paths for email attachments. As a result, attackers can read sensitive arbitrary local files and potentially exfiltrate them through booking confirmation emails, posing a significant security risk to users and their data.

Affected Version(s)

Salon Booking System – Free Version 0 <= 10.30.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3512110/salo...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

daroo

CVE-2026-6320 Data

JSON