CVE-2026-25334
Incorrect Privilege Assignment in Salon Booking System Pro Leads to Escalation
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpresschef | salon_booking_system_pro | to 10.30.12 (exc) |
| patchstack | salon_booking_system_pro | to 10.30.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25334 is a critical security vulnerability in the WordPress Salon Booking System Pro Plugin versions prior to 10.30.12. It is a Broken Authentication flaw that allows unauthenticated attackers to perform actions normally restricted to higher-privileged users.
Specifically, this vulnerability enables attackers to escalate their privileges and potentially gain administrative access to affected websites.
It falls under the OWASP Top 10 category A7: Identification and Authentication Failures.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthorized users to gain administrative access to your website.
With administrative privileges, attackers can manipulate website content, steal sensitive data, install malicious software, or disrupt services.
Such attacks are often part of mass campaigns targeting many sites, regardless of their size or popularity.
Immediate patching to version 10.30.12 or later is strongly advised to mitigate these risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-25334 vulnerability affects WordPress Salon Booking System Pro Plugin versions prior to 10.30.12 and allows unauthenticated attackers to gain administrative access. Detection involves identifying if your system is running a vulnerable version of the plugin.
To detect this vulnerability on your system, you should check the installed version of the Salon Booking System Pro plugin. For example, you can use WordPress CLI commands to list installed plugins and their versions.
- Run the command: wp plugin list --status=active | grep salon-booking-plugin-pro
- Check the version output to see if it is prior to 10.30.12.
Additionally, monitoring network traffic for suspicious authentication attempts or privilege escalation activities targeting the plugin endpoints may help detect exploitation attempts, but specific commands for this are not provided.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to update the Salon Booking System Pro plugin to version 10.30.12 or later, as this version contains the patch that fixes the vulnerability.
Until you can update, applying the mitigation rule provided by Patchstack to block attacks targeting this flaw is recommended.
Using Patchstack's automatic mitigation and auto-update features can also enhance protection against exploitation.
- Update the plugin to version 10.30.12 or later immediately.
- Apply Patchstack's mitigation rules to block attack attempts.
- Enable automatic mitigation and auto-update features if available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-25334 vulnerability allows unauthenticated attackers to gain administrative access through broken authentication, which can lead to unauthorized access to sensitive data.
Such unauthorized access could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Therefore, if exploited, this vulnerability may compromise the confidentiality and integrity of data, impacting compliance with these regulations.