CVE-2025-67954
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves exposure of sensitive data to unauthorized users, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive information. However, specific impacts on compliance or regulatory requirements are not detailed in the provided resources. [1]
Can you explain this vulnerability to me?
CVE-2025-67954 is a medium priority vulnerability in the WordPress Salon booking system plugin (versions up to 10.30.3) that allows unauthorized users with subscriber-level privileges to access sensitive system information that should normally be restricted. This is due to broken access control, classified under OWASP Top 10 category A1. Exploiting this vulnerability could enable attackers to retrieve embedded sensitive data from the system. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing relatively low-privileged users (subscriber-level) to access sensitive information within the Salon booking system. This exposure of sensitive data could lead to further exploitation of the system, potentially compromising user data, system integrity, and overall security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unauthorized access attempts to sensitive data within the Salon booking system plugin, especially from users with subscriber-level privileges. Since the vulnerability allows retrieval of embedded sensitive data, inspecting web server logs for suspicious requests targeting the plugin endpoints may help. Additionally, using Patchstack's mitigation rules can help detect and block exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Salon booking system plugin to version 10.30.4 or later, which contains the fix for this vulnerability. Until the update can be applied, applying Patchstack's provided mitigation rule to block attacks targeting this vulnerability is recommended. Patchstack also offers automatic updates for vulnerable plugins to ensure rapid protection. [1]