Search criteria
2 vulnerabilities found for Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses by wordpresschef
CVE-2025-8492 (GCVE-0-2025-8492)
Vulnerability from cvelistv5 – Published: 2025-09-11 07:24 – Updated: 2025-09-11 14:38
VLAI?
Title
Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution
Summary
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordpresschef | Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses |
Affected:
* , ≤ 10.20
(semver)
|
Credits
CodeCheq Devs
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:45:50.160272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:38:51.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Salon Booking System, Appointment Scheduling for Salons, Spas \u0026 Small Businesses",
"vendor": "wordpresschef",
"versions": [
{
"lessThanOrEqual": "10.20",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CodeCheq Devs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Salon Booking System, Appointment Scheduling for Salons, Spas \u0026 Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T07:24:56.874Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/10.20/src/SLN/Plugin.php#L232"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-10T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-09-10T18:46:11.000+00:00",
"value": "Disclosed"
}
],
"title": "Salon Booking System \u003c= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8492",
"datePublished": "2025-09-11T07:24:56.874Z",
"dateReserved": "2025-08-01T22:55:38.339Z",
"dateUpdated": "2025-09-11T14:38:51.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8492 (GCVE-0-2025-8492)
Vulnerability from nvd – Published: 2025-09-11 07:24 – Updated: 2025-09-11 14:38
VLAI?
Title
Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution
Summary
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordpresschef | Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses |
Affected:
* , ≤ 10.20
(semver)
|
Credits
CodeCheq Devs
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8492",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-11T13:45:50.160272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T14:38:51.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Salon Booking System, Appointment Scheduling for Salons, Spas \u0026 Small Businesses",
"vendor": "wordpresschef",
"versions": [
{
"lessThanOrEqual": "10.20",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CodeCheq Devs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Salon Booking System, Appointment Scheduling for Salons, Spas \u0026 Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-11T07:24:56.874Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/10.20/src/SLN/Plugin.php#L232"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-10T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-09-10T18:46:11.000+00:00",
"value": "Disclosed"
}
],
"title": "Salon Booking System \u003c= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8492",
"datePublished": "2025-09-11T07:24:56.874Z",
"dateReserved": "2025-08-01T22:55:38.339Z",
"dateUpdated": "2025-09-11T14:38:51.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}