Description
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
Published: 2026-06-17
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated IDOR that enables an attacker to read or modify booking objects they should not access. Classified as CWE-639, the plugin fails to confirm that the user is authorized for the requested resource. Successful exploitation can expose or alter sensitive booking data, compromising privacy and reliable service.

Affected Systems

Vendor Dimitri Grassi’s WordPress Salon booking system plugin is affected. Versions up to and including 10.30.24 contain the flaw; the issue is fixed in 10.30.25 and later. Any WordPress installation using the plugin in that range is at risk.

Risk and Exploitability

The CVSS score of 7.3 signals high severity. No EPSS data is available, yet the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread public exploits yet. The attack vector is web‑based and unauthenticated, relying on manipulation of booking identifiers in URLs or API requests. An attacker could simply enumerate or guess booking IDs to access data.

Generated by OpenCVE AI on June 18, 2026 at 12:14 UTC.

Remediation

Vendor Solution

Update the WordPress Salon booking system Plugin to the latest available version (at least 10.30.25).


OpenCVE Recommended Actions

  • Update the WordPress Salon booking system plugin to version 10.30.25 or later as recommended by the vendor.
  • Enforce strict role‑based access controls so that only authorized users can view or edit bookings, and validate all booking identifiers server‑side.
  • Enable logging of booking ID usage, review logs for anomalous access patterns, and restrict direct object reference usage where possible.

Generated by OpenCVE AI on June 18, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Dimitri Grassi
Dimitri Grassi salon Booking System
Wordpress
Wordpress wordpress
Vendors & Products Dimitri Grassi
Dimitri Grassi salon Booking System
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
Title WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Dimitri Grassi Salon Booking System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:46.407Z

Reserved: 2026-04-15T09:20:32.457Z

Link: CVE-2026-40768

cve-icon Vulnrichment

Updated: 2026-06-17T15:28:41.301Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:08Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key