A Cross‑Site Request Forgery flaw in the Dimitri Grassi Salon booking system plugin permits an attacker to instruct a victim’s browser to delete content that the user is authorized to manage, effectively allowing arbitrary removal of posts or other CMS elements. The weakness is a classic CSRF vulnerability (CWE‑352) where the plugin fails to validate that a deletion request originates from an authenticated origin. An attacker compromising the ability to forge such requests can effectively erase content without the user’s knowledge.

The issue affects all installations of the Salon booking system plugin up to and including version 10.16, inclusive of any prior releases without an available patch. Users running this plugin on WordPress sites must be aware that their ability to delete content is unintentionally exposed to malicious web pages when they are authenticated as administrators or other content managers.

The CVSS score of 5.4 reflects a medium severity risk; the EPSS score of less than 1% indicates a very low and uncertain probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a CSRF‑enabled unsanctioned deletion link presented on a third‑party site. An attacker needs only to entice a legitimate user to load such a link – for example by embedding it in an email or deceptive web page – and the victim’s browser will send the deletion request with the user’s credentials. No additional privileged access or malware is required to carry out the deletion once the user is tricked into the victim state.