248 matches found
CVE-2026-15070
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...
CVE-2026-15070
The CVE covers the WordPress plugin “Salon Booking System – Free Version.” All versions up to and including 10.30.32 are vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in setCustomText, allowing unauthenticated attackers to inject PHP into translate-constants.p...
WordPress Salon Booking System – Free Version plugin <= 10.30.32 - Cross-Site Request Forgery to Remote Code Execution vulnerability
Cross-Site Request Forgery to Remote Code Execution vulnerability discovered by Afifudin Maarif in WordPress Plugin Salon booking system versions = 10.30.32...
CVE-2026-11887
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...
CVE-2026-11887 Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...
CVE-2026-11887
The CVE concerns the Salon Booking System WordPress plugin prior to 10.30.20. Affected component: an AJAX action without proper authorization checks, enabling any authenticated user (e.g., a subscriber) to modify the plugin’s settings and bypass manual approval of new bookings. Root cause: insuff...
EUVD-2026-37604
Unauthenticated Insecure Direct Object References IDOR in Salon booking system = 10.30.24 versions...
CVE-2026-40768
Unauthenticated Insecure Direct Object References IDOR in Salon booking system = 10.30.24 versions...
CVE-2026-40768
The CVE covers WordPress Salon booking system plugin versions
CVE-2026-42666
Unauthenticated Broken Access Control in Salon booking system = 10.30.25 versions...
CVE-2026-42666
The WordPress Salon Booking System plugin versions
CVE-2026-42666 WordPress Salon booking system plugin <= 10.30.25 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Salon booking system = 10.30.25 versions...
EUVD-2026-36831
Unauthenticated Broken Access Control in Salon booking system = 10.30.25 versions...
PT-2026-49457
Unauthenticated Broken Access Control in Salon booking system = 10.30.25 versions...
WordPress Salon booking system plugin <= 10.30.25 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Evan in WordPress Plugin Salon booking system versions = 10.30.25...
WordPress Salon Booking System – Free Version plugin <= 10.30.25 - Unauthenticated Arbitrary File Read vulnerability
Unauthenticated Arbitrary File Read vulnerability discovered by daroo in WordPress Plugin Salon booking system versions = 10.30.25...
CVE-2026-6320
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email...
CVE-2026-6320
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email...
EUVD-2026-26784
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email...
CVE-2026-6320
The CVE concerns the Salon Booking System – Free Version WordPress plugin. Affected component: the booking flow and email attachment handling in versions up to and including 10.30.25. Root cause: attacker-controlled file-field values are stored and later treated as trusted paths for email attachm...