CVE-2024-4442: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in wordpresschef Salon Booking System – Free Version
The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This was partially patched in 9.9, and sufficiently patched in 10.0. CVE-2024-37231 appears to be a duplicate of this issue.
AI Analysis
Technical Summary
CVE-2024-4442 is a path traversal vulnerability in the WordPress Salon Booking System – Free Version plugin that allows unauthenticated attackers to delete arbitrary files by exploiting improper pathname validation during file deletion operations. Versions up to 9.8 are vulnerable. The issue was partially addressed in version 9.9 and fully resolved in version 10.0. This vulnerability can lead to high-impact consequences such as site takeover and remote code execution by deleting critical files like wp-config.php. CVE-2024-37231 is considered a duplicate of this issue.
Potential Impact
Successful exploitation enables unauthenticated attackers to delete arbitrary files on the affected server, including critical WordPress configuration files. This can result in denial of service, site takeover, and remote code execution, posing a critical risk to affected websites.
Mitigation Recommendations
A complete fix is available in version 10.0 of the Salon Booking System – Free Version plugin. Users should upgrade to version 10.0 or later to fully remediate this vulnerability. Versions 9.9 and later include partial fixes but do not fully resolve the issue. There is no vendor advisory provided, so patch status is based on the CVE description. No additional mitigations are specified.
CVE-2024-4442: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in wordpresschef Salon Booking System – Free Version
Description
The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This was partially patched in 9.9, and sufficiently patched in 10.0. CVE-2024-37231 appears to be a duplicate of this issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-4442 is a path traversal vulnerability in the WordPress Salon Booking System – Free Version plugin that allows unauthenticated attackers to delete arbitrary files by exploiting improper pathname validation during file deletion operations. Versions up to 9.8 are vulnerable. The issue was partially addressed in version 9.9 and fully resolved in version 10.0. This vulnerability can lead to high-impact consequences such as site takeover and remote code execution by deleting critical files like wp-config.php. CVE-2024-37231 is considered a duplicate of this issue.
Potential Impact
Successful exploitation enables unauthenticated attackers to delete arbitrary files on the affected server, including critical WordPress configuration files. This can result in denial of service, site takeover, and remote code execution, posing a critical risk to affected websites.
Mitigation Recommendations
A complete fix is available in version 10.0 of the Salon Booking System – Free Version plugin. Users should upgrade to version 10.0 or later to fully remediate this vulnerability. Versions 9.9 and later include partial fixes but do not fully resolve the issue. There is no vendor advisory provided, so patch status is based on the CVE description. No additional mitigations are specified.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-05-02T18:37:46.843Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b8eb7ef31ef0b55694a
Added to database: 2/25/2026, 9:37:18 PM
Last enriched: 4/9/2026, 7:44:48 AM
Last updated: 4/12/2026, 8:36:30 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.