Salon booking system < 7.6.3 – Unauthenticated Sensitive Data Disclosure | CVE 2022-0919 | Plugin Vulnerabilities

Description

The plugin does not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.

Proof of Concept

Although the API only returns the name of customer, the search feature can be abused to leak email and phone, for example, search "a@", "b@", "c@"... to determine email address char by char.

curl -X POST https://example.com/wp-admin/admin-ajax.php -d 'action=salon&day=2022-03-11&search=%40&method=SearchBookings'

Affects Plugins

salon-booking-system

Fixed in 7.6.3

salon-booking-plugin-pro

Fixed in 7.6.3

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Huli from Cymetrics

Submitter

Huli from Cymetrics

Submitter website

https://cymetrics.io

Verified

Yes

WPVDB ID

e8f32e0b-4a89-460b-bb78-7c83ef5e16b4

Timeline

Publicly Published

2022-03-21 (about 3 years ago)

Added

2022-03-21 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-01-24

Title

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress < 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)

Published

2024-03-15

Title

Word Replacer Pro <= 1.0 - Missing Authorization to Unauthenticated Arbitrary Content Update

Published

2024-12-02

Title

AIO Contact <= 2.8.1 - Missing Authorization

Published

2025-04-22

Title

Download Alt Text AI < 1.9.94 - Missing Authorization

Published

2022-08-22

Title

WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update