Description
Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw exists in the Salon booking system plugin before version 10.30.3 that allows an attacker to trick an authenticated user into submitting a request that the site will accept as legitimate. The vulnerability can be abused to perform any action that the victim user is authorized to execute, potentially altering booking data or exposing sensitive information. The weakness is a classic CSRF defect (CWE‑352).

Affected Systems

Vendors affected are Dimitri Grassi: Salon booking system plugin. All released versions up through and including 10.30.3 are vulnerable, with no earlier version mentioned as fixed.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity; however, the EPSS score is less than 1%, showing the chance of exploitation is very low and it is not listed in CISA’s KEV catalog. Typical exploitation would require the victim to be logged into the site and would involve the attacker sending a crafted HTTP request, often via a malicious link or form. No special conditions beyond user authentication are stated, so the attack vector is inferred to be user‑initiated web traffic. The attacker can thereby execute unintended actions with the victim’s privileges.

Generated by OpenCVE AI on April 30, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Salon booking system plugin version 10.30.4 or later
  • If an update cannot be applied immediately, temporarily disable the plugin’s state‑changing booking functionalities or restrict them to trusted user roles only
  • Configure the website to enforce CSRF tokens on all state‑changing requests, or use a web application firewall to block potential CSRF traffic until the plugin is updated

Generated by OpenCVE AI on April 30, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.
Title WordPress Salon booking system plugin <= 10.30.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.251Z

Reserved: 2025-12-04T04:07:13.047Z

Link: CVE-2025-66531

cve-icon Vulnrichment

Updated: 2025-12-11T19:28:44.898Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:20.433

Modified: 2026-04-27T18:16:38.607

Link: CVE-2025-66531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses