Salon booking system < 10.17 – Cross-Site Request Forgery to Arbitrary Post/Page Deletion | CVE 2025-47583 | Plugin Vulnerabilities

Description

The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.16. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete content granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

salon-booking-system

Fixed in 10.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/91a2fa6e-f434-4b56-af68-71e1ee565cc8

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

NAWardRox

Verified

No

WPVDB ID

de02c05b-dcc0-4dc1-ab44-5200e0a70500

Timeline

Publicly Published

2025-05-15 (about 1 year ago)

Added

2025-05-21 (about 1 year ago)

Last Updated

2025-06-25 (about 11 months ago)

Other

Published

Title

Published

2024-01-19

Title

Splashscreen <= 0.20 - Settings Update via CSRF

Published

2024-10-30

Title

WPGlobus Translate Options <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2022-06-01

Title

My Private Site < 3.0.8 - Arbitrary Settings Update via CSRF

Published

2025-09-10

Title

Plugin updates blocker <= 0.2 - Cross-Site Request Forgery

Published

2025-04-24

Title

Related Posts via Taxonomies <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting