Impact
The vulnerability is an unauthenticated IDOR that enables an attacker to read or modify booking objects they should not access. Classified as CWE-639, the plugin fails to confirm that the user is authorized for the requested resource. Successful exploitation can expose or alter sensitive booking data, compromising privacy and reliable service.
Affected Systems
Vendor Dimitri Grassi’s WordPress Salon booking system plugin is affected. Versions up to and including 10.30.24 contain the flaw; the issue is fixed in 10.30.25 and later. Any WordPress installation using the plugin in that range is at risk.
Risk and Exploitability
The CVSS score of 7.3 signals high severity. No EPSS data is available, yet the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread public exploits yet. The attack vector is web‑based and unauthenticated, relying on manipulation of booking identifiers in URLs or API requests. An attacker could simply enumerate or guess booking IDs to access data.
OpenCVE Enrichment