WordPress Plugin Vulnerabilities

Salon Booking System < 10.24 - Missing Authorization to Unauthenticated AJAX Actions Execution

Description

The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.22. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.

Affects Plugins

Plugin icon
salon-booking-system
Fixed in 10.24

References

CVE
CVE-2025-8492
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
CodeCheq Devs
Verified
No
WPVDB ID
215c28cc-510b-4b74-a731-9f33ffc1de86

Timeline

Publicly Published
2025-09-10 (about 9 months ago)
Added
2025-09-10 (about 9 months ago)
Last Updated
2025-11-05 (about 7 months ago)

Other

Published
Title
Published
2024-12-12
Title
WP Crowdfunding < 2.1.13 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation
Published
2024-05-21
Title
WP Scraper < 5.8 - Missing Authorization to Arbitrary Page/Post Creation
Published
2025-10-12
Title
MasterStudy LMS Pro < 4.7.16 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2024-09-04
Title
Geo Controller < 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary Option Deletion