CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-15070

highCVSS 8.8covered by 1 sourcefirst seen 2026-07-10
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into the web-accessible translate-constants.php file within the plugin directory, enabling remote code execution on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. sanitize_text_field() is applied to the POST 'value' parameter but does not neutralize the characters — single quotes, parentheses, semicolons, $, and [] — required to break out of the PHP string literal into which the value is interpolated before being written to disk via file_put_contents().

⚡ Watch CVE-2026-15070

Get an email if CVE-2026-15070 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-15070

CVE.org record

Embed the live status

CVE-2026-15070 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-15070 status](https://www.csirts.com/badge/CVE-2026-15070)](https://www.csirts.com/cve/CVE-2026-15070)