An incorrect privilege assignment flaw in the Salon booking system plugin allows an attacker to elevate a normal user’s role or create an account with higher capabilities. Based on the description, it is inferred that the attacker needs authenticated access to invoke the plugin’s functionality or abuse its settings. The result is unauthorized access to administrative features, sensitive configuration settings, and potentially other plugins or site data. This weakness is identified as CWE-266, representing a loss of privileged control.

The vulnerability affects the WordPress plugin “Salon booking system” developed by Dimitri Grassi. All releases prior to version 10.15 are impacted. Users running the plugin on any WordPress installation, irrespective of operating system, are potentially affected.

The CVSS score of 7.2 indicates a moderate to high severity. The EPSS value of less than 1% suggests a low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attacker likely requires authenticated access to the WordPress site and the ability to invoke or manipulate the plugin’s functionality or configuration to trigger the privilege escalation. No additional prerequisites are noted, but the vulnerability appears usable by a standard authenticated user or through abuse of plugin settings.