WordPress Plugin Vulnerabilities

Salon booking system < 8.7 - Authenticated (Editor+) Privilege Escalation

Description

The Salon booking system plugin for WordPress is vulnerable to privilege escalation in all versions up to, but excluding, 8.7. This makes it possible for authenticated attackers, with editor-level access and above, to escalate their privileges to that of an administrator.

Affects Plugins

Plugin icon
salon-booking-system
Fixed in 8.7

References

CVE
CVE-2023-48319
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac7f96-eb64-427d-9a95-b8bf1c675af0

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
lttn
Verified
No
WPVDB ID
c57805f7-d037-4941-a947-eee2146c6718

Timeline

Publicly Published
2023-11-23 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-10-21
Title
Academy LMS Pro < 3.3.8 - Unauthenticated Privilege Escalation via Social Login Addon
Published
2016-06-17
Title
Product Catalog <= 3.8.1 - Privilege Escalation
Published
2025-05-19
Title
CouponXL <= 4.5.0 - Unauthenticated Privilege Escalation
Published
2025-10-31
Title
Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation
Published
2025-06-09
Title
RH - Real Estate WordPress Theme < 4.4.1 - Authenticated (Subscriber+) Privilege Escalation