CVE-2026-15070 in Salon Booking System Plugininfo

Summary

by MITRE • 07/10/2026

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file within the plugin directory, enabling remote code execution on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. sanitize_text_field() is applied to the POST 'value' parameter but does not neutralize the characters — single quotes, parentheses, semicolons, $, and [] — required to break out of the PHP string literal into which the value is interpolated before being written to disk via file_put_contents().

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The Salon Booking System – Free Version plugin for WordPress represents a significant security vulnerability through its implementation of cross-site request forgery protection mechanisms. This flaw affects all versions up to and including 10.30.32, creating a critical attack surface that allows unauthenticated adversaries to execute arbitrary PHP code on affected systems. The vulnerability stems from insufficient nonce validation within the setCustomText function, which operates without proper authentication checks or cryptographic token verification typically required for state-changing operations in web applications.

The technical exploitation of this vulnerability occurs through manipulation of the translate-constants.php file located within the plugin directory structure. Attackers can inject malicious PHP code into this file by crafting a forged request that bypasses standard security measures. The core flaw lies in how the plugin handles user input through the POST 'value' parameter, which undergoes only superficial sanitization via sanitize_text_field(). This function fails to adequately neutralize critical characters including single quotes, parentheses, semicolons, dollar signs, and square brackets that are essential for breaking out of PHP string literals during code interpolation. These characters can be leveraged to construct malicious payloads that execute arbitrary commands on the target server.

The operational impact of this vulnerability extends beyond simple code injection, as it enables complete remote code execution capabilities for attackers who can successfully trick administrators into performing actions such as clicking malicious links. This scenario represents a classic csrf attack vector where social engineering becomes the primary delivery mechanism for exploitation. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery issues in web applications, and demonstrates how insufficient input validation combined with inadequate access controls creates dangerous conditions for remote code execution attacks. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 for remote code execution and T1566 for social engineering techniques that exploit human factors.

Mitigation strategies should prioritize immediate plugin updates to versions that address the nonce validation deficiencies and implement proper input sanitization mechanisms. Organizations must also deploy web application firewalls to monitor for suspicious request patterns and establish network segmentation to limit potential lateral movement. The vulnerability highlights the importance of implementing robust access control measures, including proper nonce generation and verification processes, as well as comprehensive input validation that accounts for context-specific threat vectors. Additionally, administrators should conduct thorough security audits of all installed plugins to identify similar issues that may exist in other components of their WordPress installations.

Responsible

Wordfence

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!