CVE-2026-6320 is a path traversal vulnerability (CWE-22) in the Salon Booking System – Free Version WordPress plugin, affecting versions up to and including 10.30.25. The vulnerability arises because the plugin's public booking flow accepts file-field inputs controlled by attackers and later uses these inputs as file paths for email attachments without proper validation. This flaw enables unauthenticated attackers to read arbitrary files on the local server and exfiltrate them via booking confirmation emails. The CVSS 3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No patch or official remediation has been published, and the plugin is not a cloud service.

An unauthenticated attacker can exploit this vulnerability to read arbitrary local files on the server hosting the vulnerable plugin. Confidential information stored on the server could be disclosed through exfiltration in booking confirmation email attachments. There is no impact on integrity or availability reported. No known exploits are currently active in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the affected plugin or restricting access to the booking functionality to trusted users only. Monitoring for updates from the vendor wordpresschef is recommended to apply any forthcoming patches promptly.