Description
Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking-plugin-pro allows Privilege Escalation.This issue affects Salon Booking System Pro: from n/a through < 10.30.12.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

This vulnerability stems from incorrect privilege assignment within the Salon Booking System Pro plugin for WordPress, allowing an attacker who is authenticated but not privileged to elevate their access rights. The result is a full account takeover, giving the attacker control over site settings and user data. The weakness corresponds to improper privilege management.

Affected Systems

The attack impacts installations of Salon Booking System Pro through version 10.30.11, including all WordPress sites that have the plugin enabled. Users should verify the plugin version and consult the vendor for updates.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that current exploitation is unlikely, and it is not listed in the CISA KEV catalog. Nonetheless, the likely attack vector is a remote attacker who can log in with a non‑admin account and then exploit the privilege‑escalation flaw, potentially compromising the entire site.

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Salon Booking System Pro to version 10.30.12 or later
  • If upgrading is not possible immediately, disable the plugin until a patch becomes available
  • Limit user roles to the minimum required privileges and review role permissions regularly
  • Apply the principle of least privilege to WordPress user accounts
  • Monitor for suspicious login activity and unauthorized changes to user roles

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wordpresschef
Wordpresschef salon Booking System Pro
Vendors & Products Wordpress
Wordpress wordpress
Wordpresschef
Wordpresschef salon Booking System Pro

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking-plugin-pro allows Privilege Escalation.This issue affects Salon Booking System Pro: from n/a through < 10.30.12.
Title WordPress Salon Booking System Pro plugin < 10.30.12 - Account Takeover vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
Wordpresschef Salon Booking System Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:38.036Z

Reserved: 2026-02-02T12:52:37.306Z

Link: CVE-2026-25334

cve-icon Vulnrichment

Updated: 2026-03-27T14:42:35.478Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:44.383

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:24Z

Weaknesses