Salon Booking System
Monthly
Unauthenticated Insecure Direct Object Reference in the Salon Booking System WordPress plugin (versions <= 10.30.24) allows remote attackers to access or manipulate booking objects belonging to other users by tampering with object identifiers in requests. The flaw was reported by Patchstack and affects the dimitri_grassi salon_booking_system plugin per the provided CPE, with no public exploit identified at time of analysis.
Unauthenticated information disclosure in the Salon Booking System WordPress plugin (versions up to and including 10.30.25) allows remote attackers to bypass authorization checks and access sensitive data without credentials. The flaw, tracked by Patchstack and tagged as an authentication bypass, is network-reachable with low complexity and no user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated Insecure Direct Object Reference in the Salon Booking System WordPress plugin (versions <= 10.30.24) allows remote attackers to access or manipulate booking objects belonging to other users by tampering with object identifiers in requests. The flaw was reported by Patchstack and affects the dimitri_grassi salon_booking_system plugin per the provided CPE, with no public exploit identified at time of analysis.
Unauthenticated information disclosure in the Salon Booking System WordPress plugin (versions up to and including 10.30.25) allows remote attackers to bypass authorization checks and access sensitive data without credentials. The flaw, tracked by Patchstack and tagged as an authentication bypass, is network-reachable with low complexity and no user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.