CVE-2025-8492
Salon Booking System <= 10.22 - Missing Authorization to Unauthenticated AJAX Actions Execution
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.22. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Produtos afetados
wordpresschef · Salon Booking System – Free VersionQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/10.20/src/SLN/Plugin.php#L232https://plugins.trac.wordpress.org/changeset/3360651/salon-booking-system/trunk/src/SLN/Action/Ajax/UploadFile.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e?source=cve