Primary

Context

Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability

Vulnerability

Patched

A vulnerability allowing arbitrary file read has been identified in the Salon Booking System – Free Version plugin for WordPress, affecting versions through 10.30.25. The issue arises because the public booking flow accepts file-field values controlled by attackers. These values are later used as trusted paths for email attachments, enabling unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation emails.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files, with the possibility of exfiltrating this data through email attachments.

Remediation

Users are advised to update the Salon Booking System – Free Version plugin to version 10.30.26 or a newer patched version.

Added: May 2, 2026, 12:19 PM

Updated: May 2, 2026, 12:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.2

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.2

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Salon Booking System WordPress Plugin Arbitrary File Read Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Salon Booking System

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating