cleantalk
Vulnerabilities and Security Researches

Salon booking system, CVE-2026-6320

CVE, Research URL

CVE-2026-6320

Home page URL

Security reports for Salon booking system

Application

Salon booking system

Published on
May 02, 2026
Research Description
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.
Affected versions
max 10.30.26.
Status
vulnerable
Previous vulnerability researches
Question Answer (CVE-2025-32647) , Jun 13, 2026
Question Answer (CVE-2025-31810) , Apr 03, 2025
Question Answer (CVE-2025-32646) , Apr 18, 2025
AnsPress – Question and answer (CVE-2023-34374) , Jun 07, 2024
New vulnerability
XT Floating Cart for WooCommerce (CVE-2023-33999) , Jun 14, 2026
Child Support Calculator (CVE-2023-33999) , Jun 14, 2026
WP Required Taxonomies – Categories and Tags Mandatory (CVE-2023-33999) , Jun 14, 2026
Pods – Custom Content Types and Fields (CVE-2023-33999) , Jun 14, 2026
Slider, Gallery, and Carousel by MetaSlider – Responsive WordPress Slideshows (CVE-2022-47150) , Jun 14, 2026