Salon booking system < 10.0 – Missing Authorization | CVE 2024-4468 | Plugin Vulnerabilities

Description

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.

Affects Plugins

salon-booking-system

Fixed in 10.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8b73f864-68b5-4ba8-93a3-37f2564cc240

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

JoanClarke2

Verified

No

WPVDB ID

6ae1328a-1c7c-4f22-aafa-3e35a21dd34c

Timeline

Publicly Published

2024-06-07 (about 2 years ago)

Added

2024-06-11 (about 2 years ago)

Last Updated

2024-06-11 (about 2 years ago)

Other

Published

Title

Published

2025-03-27

Title

Big Store < 2.0.9 - Missing Authorization

Published

2025-03-06

Title

School Management System for Wordpress <= 93.0.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Published

2026-05-30

Title

Advanced Custom Fields (ACF®) < 6.8.2 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters

Published

2024-08-19

Title

GiveWP – Donation Plugin and Fundraising Platform < 3.14.2 - Missing Authorization to Authenticated (Subscriber+) Limited File Deletion

Published

2026-03-10

Title

Job Postings < 2.8.1 - Missing Authorization