CVE-2024-4442

Name of the Vulnerable Software and Affected Versions The Salon booking system plugin for WordPress version 9.8 and earlier

Description The issue is due to the plugin not properly validating the path of an uploaded file prior to deleting it, making it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file. This can lead to site takeover and remote code execution.

Recommendations Update to a version later than 9.8 to resolve the issue. As a temporary workaround, consider restricting access to the file deletion functionality until a patch is available. Avoid using the plugin's file upload and deletion features until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.