Cyber Resilience

CVE-2026-6320

High

Published: 02 May 2026

Published
02 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0014 34.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6320 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6320 is an arbitrary file read vulnerability (CWE-22) affecting the Salon Booking System – Free Version plugin for WordPress in versions up to and including 10.30.25. The issue arises in the public booking flow, which accepts attacker-controlled values in file fields and subsequently treats those values as trusted file paths when attaching files to booking confirmation emails. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability by submitting a malicious booking request with a crafted file path, such as traversing to sensitive server files like /etc/passwd or WordPress configuration files. Upon booking confirmation, the targeted file is read from the server and attached to the email sent to the attacker-controlled recipient address, enabling exfiltration of arbitrary local files accessible to the web server process.

Mitigation details are available in the plugin's official patch at https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system, which security practitioners should apply immediately to affected versions. Additional threat intelligence, including detection and further analysis, is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve. WordPress site administrators are advised to update the plugin and review booking logs for suspicious activity.

EU & UK References

Vulnerability details

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored…

more

values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote exploitation via crafted booking requests (T1190) and direct arbitrary local file reads for exfiltration (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific arbitrary file read flaw in the Salon Booking System plugin via the official patch, preventing exploitation.

prevent

Implements input validation on attacker-controlled file-field values in the public booking flow to block path traversal and arbitrary file reads.

prevent

Enforces least privilege for the web server process, limiting the scope of readable files even if path traversal inputs are processed.

References