CVE-2025-67954
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-29

Assigner: Patchstack

Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data.This issue affects Salon booking system: from n/a through <= 10.30.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67954
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67954 is a medium priority vulnerability in the WordPress Salon booking system plugin (versions up to 10.30.3) that allows unauthorized users with subscriber-level privileges to access sensitive system information that should normally be restricted. This is due to broken access control, classified under OWASP Top 10 category A1. Exploiting this vulnerability could enable attackers to retrieve embedded sensitive data from the system. [1]

Impact Analysis

This vulnerability can impact you by allowing relatively low-privileged users (subscriber-level) to access sensitive information within the Salon booking system. This exposure of sensitive data could lead to further exploitation of the system, potentially compromising user data, system integrity, and overall security. [1]

Detection Guidance

Detection can involve monitoring for unauthorized access attempts to sensitive data within the Salon booking system plugin, especially from users with subscriber-level privileges. Since the vulnerability allows retrieval of embedded sensitive data, inspecting web server logs for suspicious requests targeting the plugin endpoints may help. Additionally, using Patchstack's mitigation rules can help detect and block exploitation attempts. Specific commands are not provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Salon booking system plugin to version 10.30.4 or later, which contains the fix for this vulnerability. Until the update can be applied, applying Patchstack's provided mitigation rule to block attacks targeting this vulnerability is recommended. Patchstack also offers automatic updates for vulnerable plugins to ensure rapid protection. [1]

Compliance Impact

The vulnerability involves exposure of sensitive data to unauthorized users, which could lead to non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive information. However, specific impacts on compliance or regulatory requirements are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67954. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart