WordPress Plugin Vulnerabilities

Salon Booking System – Free Version < 10.30.25 - Unauthenticated Insecure Direct Object Reference

Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.30.24 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform unauthorized actions.

Affects Plugins

Plugin icon
salon-booking-system
Fixed in 10.30.25

References

CVE
CVE-2026-40768
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/94fc7e20-0fd1-4a10-b821-e5aba4512f3f

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lubin Regnault
Verified
No
WPVDB ID
213c4952-20b3-459d-9a09-4c08b7a4a7f7

Timeline

Publicly Published
2026-04-21 (about 1 month ago)
Added
2026-04-30 (about 1 month ago)
Last Updated
2026-04-30 (about 1 month ago)

Other

Published
Title
Published
2025-01-10
Title
RRAddons for Elementor <= 1.1.0 - Authenticated (Contributor+) Post Disclosure
Published
2024-12-11
Title
Greenshift – animation and page builder blocks < 9.9.9.4 - Authenticated (Contributor+) Post Disclosure
Published
2024-05-30
Title
Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access
Published
2022-08-04
Title
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
Published
2026-01-02
Title
Innovio <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference