Description
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.22. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
Published: 2025-09-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Patch Immediately
AI Analysis

Impact

The Salon Booking System plugin for WordPress has a missing capability check in its AJAX handler, allowing any unauthenticated user to trigger privileged actions. Through the vulnerable endpoint the attacker can perform limited file uploads and modify scheduling data. The flaw is classified as a missing authorization (CWE‑862).

Affected Systems

Affected by this flaw is the WordPress plugin Salon Booking System – Free Version, all releases up to and including 10.22. The plugin is widely used for appointment scheduling in salons and spas, so every WordPress site running these versions is vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% shows a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in CISA KEV. Exploitation requires only an unauthenticated HTTP POST to the plugin’s AJAX endpoint, which is easily performed by any user with internet access. Once triggered, the attacker can upload files and modify booking data without authorization, potentially disrupting business operations.

Generated by OpenCVE AI on April 21, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Salon Booking System plugin to the latest version in which the capability check has been added to the Ajax handler.
  • If the file upload feature is not essential, disable it or modify the plugin to restrict the upload endpoint to authenticated users only.
  • Configure a security plugin or web‑server rules to block or rate‑limit unauthenticated requests to the plugin’s AJAX URLs.
  • Additional hardening: review user roles and ensure that only trusted accounts have the capability required to access the booking system’s administrative functions.

Generated by OpenCVE AI on April 21, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27652 The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads. The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.22. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
Title Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution Salon Booking System <= 10.22 - Missing Authorization to Unauthenticated AJAX Actions Execution
References

Fri, 12 Sep 2025 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
Title Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:03.500Z

Reserved: 2025-08-01T22:55:38.339Z

Link: CVE-2025-8492

cve-icon Vulnrichment

Updated: 2025-09-11T13:45:52.016Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:34.827

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses