Salon Booking System – Free Version WordPress Plugin Security Vulnerabilities | WPScan

31

June 13, 2026

3000

Published

2026-06-10

Title

Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass

Fixed in

Fixed in 10.30.20

CVSS

4.3 (medium)

Published

2026-05-10

Title

Salon Booking System – Free Version < 10.30.26 - Missing Authorization

Fixed in

Fixed in 10.30.26

CVSS

5.3 (medium)

Published

2026-05-01

Title

Salon Booking System – Free Version < 10.30.26 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal

Fixed in

Fixed in 10.30.26

CVSS

7.5 (high)

Published

2026-04-21

Title

Salon Booking System – Free Version < 10.30.25 - Unauthenticated Insecure Direct Object Reference

Fixed in

Fixed in 10.30.25

CVSS

5.3 (medium)

Published

2026-01-21

Title

Salon booking system < 10.30.4 - Authenticated (Subscriber+) Information Exposure

Fixed in

Fixed in 10.30.4

CVSS

3.1 (low)

Published

2025-12-07

Title

Salon booking system < 10.30.4 - Cross-Site Request Forgery

Fixed in

Fixed in 10.30.4

CVSS

4.3 (medium)

Published

2025-09-10

Title

Salon Booking System < 10.24 - Missing Authorization to Unauthenticated AJAX Actions Execution

Fixed in

Fixed in 10.24

CVSS

5.3 (medium)

Published

2025-05-15

Title

Salon booking system < 10.17 - Cross-Site Request Forgery to Arbitrary Post/Page Deletion

Fixed in

Fixed in 10.17

CVSS

4.3 (medium)

Published

2025-04-04

Title

Salon booking system <= 10.30.19 - Missing Authorization

Fixed in

No known fix

CVSS

4.3 (medium)

Published

2025-04-01

Title

Salon booking system < 10.15 - Authenticated Privilege Escalation

Fixed in

Fixed in 10.15

CVSS

8.8 (high)

Published

2024-09-25

Title

Salon booking system < 10.9.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

Fixed in

Fixed in 10.9.1

CVSS

4.3 (medium)

Published

2024-09-13

Title

Salon Booking System < 10.9.4 - Admin+ Stored XSS

Fixed in

Fixed in 1.9.4

CVSS

3.5 (low)

Published

2024-08-16

Title

Salon booking system < 10.9 - Unauthenticated Open Redirect

Fixed in

Fixed in 10.9

CVSS

6.1 (medium)

Published

2024-08-01

Title

Salon booking system < 10.8 - Authenticated (Administrator+) SQL Injection

Fixed in

Fixed in 10.8

CVSS

9.1 (critical)

Published

2024-06-18

Title

Salon Booking System < 10.3 - Unauthenticated Arbitrary File Upload

Fixed in

Fixed in 10.3

CVSS

9.8 (critical)

Published

2024-06-07

Title

Salon booking system < 10.0 - Missing Authorization

Fixed in

Fixed in 10.0

CVSS

4.3 (medium)

Published

2024-05-17

Title

Salon booking system < 10.0 - Unauthenticated Arbitrary File Deletion

Fixed in

Fixed in 10.0

CVSS

9.1 (critical)

Published

2024-04-05

Title

Salon booking system < 9.6.6 - Settings Update via CSRF

Fixed in

Fixed in 9.6.6

CVSS

4.3 (medium)

Published

2024-04-05

Title

Salon booking system < 9.6.6 - Editor+ Stored XSS

Fixed in

Fixed in 9.6.6

CVSS

3.5 (low)

Published

2024-04-05

Title

Salon booking system < 9.6.6 - Editor+ Stored XSS via Email Settings

Fixed in

Fixed in 9.6.6

CVSS

3.5 (low)

Published

2024-03-28

Title

Salon booking system < 9.5.1 - Unauthenticated Arbitrary File Upload

Fixed in

Fixed in 9.5.1

CVSS

10 (critical)

Published

2024-03-27

Title

Salon booking system < 9.6.3 - Unauthenticated Stored XSS

Fixed in

Fixed in 9.6.3

CVSS

8.8 (high)

Published

2024-03-27

Title

Salon Booking System < 9.6.3 - Unauthenticated Stored XSS

Fixed in

Fixed in 9.6.3

CVSS

8.8 (high)

Published

2023-11-23

Title

Salon booking system < 8.7 - Authenticated (Editor+) Privilege Escalation

Fixed in

Fixed in 8.7

CVSS

7.2 (high)

Published

2023-07-18

Title

Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting

Fixed in

Fixed in 8.4.9

CVSS

6.1 (medium)

Published

2023-06-27

Title

Salon Booking System < 8.4.8 - User Role change via CSRF

Fixed in

Fixed in 8.4.8

CVSS

5.4 (medium)

Published

2022-11-08

Title

Salon Booking System < 7.9.4 - Reflected Cross-Site Scripting

Fixed in

Fixed in 7.9.4

CVSS

6.1 (medium)

Published

2022-03-21

Title

Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure

Fixed in

Fixed in 7.6.3

CVSS

7.5 (high)

Published

2022-03-21

Title

Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure

Fixed in

Fixed in 7.6.3

CVSS

5.9 (medium)

Published

2022-02-28

Title

Unauthorised AJAX Calls via Freemius

Fixed in

Fixed in 7.6.3

CVSS

4.3 (medium)

Published

2021-06-21

Title

Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)

Fixed in

Fixed in 6.3.1

CVSS

9.6 (critical)