Salon booking system <= 9.6.5 - Cross-Site Request Forgery to Settings Update

Wordfence Intelligence   >   Vulnerability Database   >   Salon booking system <= 9.6.5 - Cross-Site Request Forgery to Settings Update
4.3
Cross-Site Request Forgery (CSRF)
CVE CVE-2024-2429
CVSS 4.3 (Medium)
Publicly Published April 26, 2024
Last Updated May 1, 2024
Researcher Bob Matyas - Automattic

Description

The Salon booking system plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.5. This is due to missing or incorrect nonce validation on the salon-settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References

Share

Vulnerability Details for Salon Booking System – Free Version

Salon Booking System – Free Version

Software Type Plugin
Software Slug salon-booking-system (view on wordpress.org)
Patched? Yes
Remediation Update to version 9.6.6, or a newer patched version
Affected Version
  • <= 9.6.5
Patched Version
  • 9.6.6

Recent vulnerabilities in Salon Booking System – Free Version

Salon Booking System – Free Version <= 10.30.25 - Missing Authorization
5.3
CVE-2026-42666
May 10, 2026
Researcher: Evan NR
Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal
7.5
CVE-2026-6320
May 1, 2026
Researcher: daroo
Salon Booking System – Free Version <= 10.30.24 - Unauthenticated Insecure Direct Object Reference
5.3
CVE-2026-40768
Apr 21, 2026
Researcher: Lubin Regnault
Salon booking system <= 10.30.3 - Authenticated (Subscriber+) Information Exposure
3.1
CVE-2025-67954
Jan 21, 2026
Researcher: daroo
Salon booking system <= 10.30.3 - Cross-Site Request Forgery
4.3
CVE-2025-66531
Dec 7, 2025
Researcher: daroo
Salon Booking System <= 10.22 - Missing Authorization to Unauthenticated AJAX Actions Execution
5.3
CVE-2025-8492
Sep 10, 2025
Researcher: CodeCheq Devs
Salon booking system <= 10.16 - Cross-Site Request Forgery to Arbitrary Post/Page Deletion
4.3
CVE-2025-47583
May 15, 2025
Researcher: NAWardRox
Salon booking system <= 10.29.6 - Missing Authorization
4.3
CVE-2025-32220
Apr 4, 2025
Researcher: NAWardRox
Salon booking system <= 10.11 - Authenticated Privilege Escalation
8.8
CVE-2025-31560
Apr 1, 2025
Researcher: Revan Arifio
Salon booking system <= 10.9 - Authenticated (Subscriber+) Insecure Direct Object Reference
4.3
CVE-2024-47316
Sep 25, 2024
Researcher: Sharanabasappa
# Title CVE ID CVSS Researchers Date
1 Salon Booking System – Free Version <= 10.30.25 - Missing Authorization CVE-2026-42666 5.3 Evan NR May 10, 2026
2 Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal CVE-2026-6320 7.5 daroo May 1, 2026
3 Salon Booking System – Free Version <= 10.30.24 - Unauthenticated Insecure Direct Object Reference CVE-2026-40768 5.3 Lubin Regnault April 21, 2026
4 Salon booking system <= 10.30.3 - Authenticated (Subscriber+) Information Exposure CVE-2025-67954 3.1 daroo January 21, 2026
5 Salon booking system <= 10.30.3 - Cross-Site Request Forgery CVE-2025-66531 4.3 daroo December 7, 2025
6 Salon Booking System <= 10.22 - Missing Authorization to Unauthenticated AJAX Actions Execution CVE-2025-8492 5.3 CodeCheq Devs September 10, 2025
7 Salon booking system <= 10.16 - Cross-Site Request Forgery to Arbitrary Post/Page Deletion CVE-2025-47583 4.3 NAWardRox May 15, 2025
8 Salon booking system <= 10.29.6 - Missing Authorization CVE-2025-32220 4.3 NAWardRox April 4, 2025
9 Salon booking system <= 10.11 - Authenticated Privilege Escalation CVE-2025-31560 8.8 Revan Arifio April 1, 2025
10 Salon booking system <= 10.9 - Authenticated (Subscriber+) Insecure Direct Object Reference CVE-2024-47316 4.3 Sharanabasappa September 25, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation