The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the 'save_customer' function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Metrics
Affected Vendors & Products
References
History
Wed, 06 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2023-06-28T01:48:22.850Z
Updated: 2024-11-06T18:52:24.792Z
Reserved: 2023-06-27T11:48:55.558Z
Link: CVE-2023-3427
Vulnrichment
Updated: 2024-08-02T06:55:03.209Z
NVD
Status : Modified
Published: 2023-06-28T02:15:49.783
Modified: 2024-11-21T08:17:14.653
Link: CVE-2023-3427
Redhat
No data.