Primary

Context

Salon Booking System WordPress Plugin Missing Authorization Vulnerability in AJAX Actions

Vulnerability

A vulnerability exists in the Salon Booking System WordPress plugin, specifically in versions through 10.20, due to a lack of proper capability checks on AJAX functions. This flaw allows unauthenticated attackers to execute AJAX actions, potentially leading to unauthorized data modification and limited file uploads.

Impact

Exploitation of this vulnerability could result in unauthorized execution of AJAX actions, allowing for data manipulation and restricted file uploads.

Reproduction

The vulnerability can be reproduced by sending an AJAX request to the WordPress site with the 'method' parameter specifying the desired action. Since the plugin does not properly validate the request's authorization, this can be done by an unauthenticated user.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.

Added: Sep 11, 2025, 8:16 AM

Updated: Sep 11, 2025, 8:16 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.6

remediation

0.0

relevance

0.5

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

8.6

remediation

0.0

relevance

0.5

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Salon Booking System WordPress Plugin Missing Authorization Vulnerability in AJAX Actions

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Salon Booking System

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating