CVE-2025-8492
Salon Booking System <= 10.22 - Missing Authorization to Unauthenticated AJAX Actions Execution
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.22. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
wordpresschef · Salon Booking System – Free VersionWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/salon-booking-system/tags/10.20/src/SLN/Plugin.php#L232https://plugins.trac.wordpress.org/changeset/3360651/salon-booking-system/trunk/src/SLN/Action/Ajax/UploadFile.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/9a63a4ec-80e6-48cc-a778-97fa3917817e?source=cve