CVE-2026-6320
Published: 02 May 2026
Summary
CVE-2026-6320 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6320 is an arbitrary file read vulnerability (CWE-22) affecting the Salon Booking System – Free Version plugin for WordPress in versions up to and including 10.30.25. The issue arises in the public booking flow, which accepts attacker-controlled values in file fields and subsequently treats those values as trusted file paths when attaching files to booking confirmation emails. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Unauthenticated remote attackers can exploit this vulnerability by submitting a malicious booking request with a crafted file path, such as traversing to sensitive server files like /etc/passwd or WordPress configuration files. Upon booking confirmation, the targeted file is read from the server and attached to the email sent to the attacker-controlled recipient address, enabling exfiltration of arbitrary local files accessible to the web server process.
Mitigation details are available in the plugin's official patch at https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system, which security practitioners should apply immediately to affected versions. Additional threat intelligence, including detection and further analysis, is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve. WordPress site administrators are advised to update the plugin and review booking logs for suspicious activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26784
Vulnerability details
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored…
more
values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote exploitation via crafted booking requests (T1190) and direct arbitrary local file reads for exfiltration (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific arbitrary file read flaw in the Salon Booking System plugin via the official patch, preventing exploitation.
Implements input validation on attacker-controlled file-field values in the public booking flow to block path traversal and arbitrary file reads.
Enforces least privilege for the web server process, limiting the scope of readable files even if path traversal inputs are processed.