CVE-2024-4442 CRITICAL

CVE-2024-4442: Salon booking system <= 9.9 - Unauthenticated Arbitrary File Deletion

Vendor Wordpresschef
Product Salon Booking System – Free Version
Weakness CWE-22 · Path traversal
Published May 21, 2024
Last update April 8, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Salon booking system plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 9.8. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. This was partially patched in 9.9, and sufficiently patched in 10.0. CVE-2024-37231 appears to be a duplicate of this issue.

Key dates

02Disclosure timeline

May 21, 2024 CVE published
April 8, 2026 Record updated