Salon Booking System

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.

Basic Information

ID CVE-2025-8492

Source Wordfence

Published Sep 11, 2025 at 07:24

Modified Sep 11, 2025 at 14:38

Affected Product

Vendor wordpresschef

Product Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses

Version *

Affected Versions wordpresschef Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.",
    "published": "2025-09-11T07:24:56.874Z",
    "modified": "2025-09-11T14:38:51.236Z",
    "type": "cve",
    "title": "Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e?source=cve\nhttps://plugins.trac.wordpress.org/browser/salon-booking-system/tags/10.20/src/SLN/Plugin.php#L232",
    "id": "CVE-2025-8492",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "wordpresschef Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses",
    "version": "*",
    "vendor": "wordpresschef",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Salon Booking System <= 10.20 - Missing Authorization to Unauthenticated AJAX Actions Execution_CVE-2025-8492