CVE-2026-15070
Received Received - Intake

Cross-Site Request Forgery Leads to RCE in Salon Booking System

Vulnerability report for CVE-2026-15070, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file within the plugin directory, enabling remote code execution on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. sanitize_text_field() is applied to the POST 'value' parameter but does not neutralize the characters β€” single quotes, parentheses, semicolons, $, and [] β€” required to break out of the PHP string literal into which the value is interpolated before being written to disk via file_put_contents().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordfence salon_booking_system_free_version to 10.30.32 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Salon Booking System – Free Version plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 10.30.32. This occurs because the plugin lacks proper nonce validation on the setCustomText function. As a result, an unauthenticated attacker can trick a site administrator into performing an action, such as clicking a malicious link, which allows the attacker to inject arbitrary PHP code into the translate-constants.php file within the plugin directory.

Although the plugin applies sanitize_text_field() to the POST 'value' parameter, this function does not neutralize certain characters (like single quotes, parentheses, semicolons, $, and square brackets) that are necessary to break out of the PHP string literal. This enables the attacker to execute remote code on the server by writing malicious PHP code to disk.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the server hosting the WordPress site. An attacker who successfully exploits this flaw can run arbitrary PHP code, potentially leading to full server compromise.

  • Unauthorized access to sensitive data.
  • Modification or deletion of website content or data.
  • Installation of backdoors or malware.
  • Disruption of website availability or functionality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart