WordPress Plugin Vulnerabilities

Salon Booking System < 8.4.8 - User Role change via CSRF

Description

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change its own user role to customer.

Affects Plugins

Plugin icon
salon-booking-system
Fixed in 8.4.8

References

CVE
CVE-2023-3427

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
7c6f05dc-1c26-4e83-816f-78ea12b4130a

Timeline

Publicly Published
2023-06-27 (about 2 years ago)
Added
2023-06-29 (about 2 years ago)
Last Updated
2023-06-29 (about 2 years ago)

Other

Published
Title
Published
2025-01-27
Title
Issuu Panel <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-04-17
Title
Amazon Showcase WordPress Plugin <= 2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-08-25
Title
BetPress <= 1.0.1 Lite - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2021-06-30
Title
Fontsampler < 0.14.3 - CSRF to Authenticated Reflected Cross-Site Scripting (XSS)
Published
2023-11-12
Title
ShiftController Employee Shift Scheduling < 4.9.24 - CSRF