Skip to main content

Salon Booking System Pro EUVDEUVD-2026-15647

| CVE-2026-25334 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-3xj3-c6fm-38wm
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:15 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.30.12
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15647
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.1

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking-plugin-pro allows Privilege Escalation.This issue affects Salon Booking System Pro: from n/a through < 10.30.12.

AnalysisAI

An Incorrect Privilege Assignment vulnerability (CWE-266) exists in the Salon Booking System Pro WordPress plugin versions prior to 10.30.12, allowing attackers to escalate privileges and potentially achieve account takeover. The vulnerability affects all versions of the salon-booking-plugin-pro from an unspecified baseline through version 10.30.11. This privilege escalation can be exploited by unauthenticated or low-privileged attackers to gain unauthorized administrative access to the booking system.

Technical ContextAI

The vulnerability resides in the wordpresschef Salon Booking System Pro plugin (CPE: cpe:2.3:a:wordpresschef:salon_booking_system_pro), a WordPress plugin designed to manage salon appointment bookings. The root cause is classified under CWE-266 (Incorrect Privilege Assignment), which occurs when a system assigns privileges incorrectly, allowing attackers to perform actions they should not be permitted to execute. In the context of WordPress plugins, this typically manifests as inadequate capability checks when processing user requests, failing to verify that a user possesses the required role or permission before allowing them to perform sensitive operations such as modifying bookings, accessing customer data, or escalating their account privileges. The plugin's privilege verification logic fails to properly enforce WordPress role-based access control (RBAC), enabling privilege escalation attacks.

RemediationAI

Immediately upgrade Salon Booking System Pro to version 10.30.12 or later, which contains the privilege assignment correction. Access the WordPress plugin repository or the vendor's official distribution channel to obtain the patched version. Site administrators should verify the plugin version in the WordPress admin dashboard under Installed Plugins and enable automatic security updates for this plugin if not already enabled. As an interim precaution before patching, restrict administrative access to the booking system by limiting user roles, implementing Web Application Firewall (WAF) rules to monitor for privilege escalation attempts, and reviewing access logs for unauthorized privilege changes. Additionally, audit all user accounts and reset credentials for users with administrative or elevated privileges to ensure no unauthorized access occurred during the window the vulnerability was present.

Share

EUVD-2026-15647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy