Description
Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.23.
Published: 2025-04-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization within the Salon booking system plugin permits an attacker to perform operations beyond the intended permissions. The flaw stems from incorrectly configured access control security levels, enabling unauthorized viewing, modification, or deletion of booking data. This weakness resides in CWE‑862 and can compromise the confidentiality, integrity, and availability of the booking information.

Affected Systems

The vulnerability affects the Salon booking system plugin developed by Dimitri Grassi, available as a WordPress plugin. All releases up to and including version 10.30.23 are affected. The plugin is installed on WordPress sites that incorporate this booking functionality.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact. The EPSS score of less than 1 % suggests a low likelihood that the vulnerability is actively exploited. The issue is not listed in the CISA KEV catalog. Attackers most likely need access to the WordPress administrative interface or an account with sufficient privileges to interact with the plugin’s management endpoints; this inference is based on the description of an access‑control weakness, but the exact authentication requirements are not explicitly detailed in the advisory.

Generated by OpenCVE AI on May 1, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Salon booking system plugin to the latest released version, which resolves the access control flaw.
  • Review and enforce correct user role capabilities for the plugin in WordPress, ensuring that only administrators can access privileged functions.
  • If an update is not yet available, restrict the plugin’s administrative URLs using access controls such as .htaccess rules or specialized WordPress plugins to limit exposure to authorized users.

Generated by OpenCVE AI on May 1, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9816 Missing Authorization vulnerability in Dimitri Grassi Salon booking system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon booking system: from n/a through 10.10.7.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.26. Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.23.
Title WordPress Salon booking system plugin <= 10.30.26 - Broken Access Control vulnerability WordPress Salon booking system plugin <= 10.30.23 - Broken Access Control vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.23. Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.26.
Title WordPress Salon booking system plugin <= 10.30.23 - Broken Access Control vulnerability WordPress Salon booking system plugin <= 10.30.26 - Broken Access Control vulnerability
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Dimitri Grassi Salon booking system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon booking system: from n/a through 10.10.7. Missing Authorization vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salon booking system: from n/a through <= 10.30.23.
Title WordPress Salon Booking System plugin <= 10.10.7 - Broken Access Control vulnerability WordPress Salon booking system plugin <= 10.30.23 - Broken Access Control vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Salonbookingsystem
Salonbookingsystem salon Booking System
CPEs cpe:2.3:a:salonbookingsystem:salon_booking_system:*:*:*:*:*:wordpress:*:*
Vendors & Products Salonbookingsystem
Salonbookingsystem salon Booking System

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Dimitri Grassi Salon booking system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon booking system: from n/a through 10.10.7.
Title WordPress Salon Booking System plugin <= 10.10.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Salonbookingsystem Salon Booking System
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:19.220Z

Reserved: 2025-04-04T10:01:42.465Z

Link: CVE-2025-32220

cve-icon Vulnrichment

Updated: 2025-04-04T19:52:44.520Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:31.357

Modified: 2026-04-28T19:31:32.220

Link: CVE-2025-32220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:30:04Z

Weaknesses