Cyber Resilience

CVE-2024-4442

Critical

Published: 21 May 2024

Published
21 May 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.2671 96.5th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4442 is a critical-severity Path Traversal (CWE-22) vulnerability in Salonbookingsystem Salon Booking System. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to and including 9.8. The issue stems from insufficient validation of file paths supplied to an uploaded-file removal handler, allowing path traversal (CWE-22). Unauthenticated attackers can therefore supply crafted paths that cause deletion of arbitrary files on the server, including wp-config.php, which can lead to database credential disclosure and subsequent site takeover or remote code execution. The vulnerability was only partially addressed in version 9.9 and fully resolved in 10.0; CVE-2024-37231 is noted as a duplicate.

Unauthenticated remote attackers can exploit the flaw without any user interaction or authentication. By invoking the plugin’s AJAX file-removal endpoint with a malicious path parameter, an attacker can delete critical WordPress configuration files or other sensitive content, directly resulting in integrity and availability impacts rated at CVSS 9.1.

Public references point to the vulnerable code in RemoveUploadedFile.php and to subsequent WordPress plugin repository changesets that implement the necessary path sanitization. Site owners are advised to update immediately to version 10.0 or later; administrators unable to update should consider temporary mitigation such as disabling the booking plugin or restricting access to its AJAX endpoints.

EPSS for the CVE reached a peak of 0.3370 (current value 0.2671), indicating a noticeable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it.…

more

This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This was partially patched in 9.9, and sufficiently patched in 10.0. CVE-2024-37231 appears to be a duplicate of this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

salonbookingsystem
salon booking system
≤ 10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References