CVE-2026-40768
Deferred Deferred - Pending Action
Unauthenticated IDOR in Salon Booking System

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40768
EUVD
EUVD-2026-37604
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack salon_booking_system to 10.30.24 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40768 is an Insecure Direct Object References (IDOR) vulnerability found in the WordPress Salon booking system Plugin versions 10.30.24 and below.

This flaw allows attackers to bypass authentication and authorization controls, enabling them to access sensitive files, folders, or database information without proper permissions.

It is classified as a high priority vulnerability with a CVSS score of 7.3 and falls under the OWASP Top 10 category of Broken Access Control (A1).

Impact Analysis

This vulnerability can have serious impacts as it allows unauthorized attackers to access sensitive data and system components without any authentication.

Potential impacts include unauthorized access to confidential files, manipulation of booking data, exposure of user information, and disruption of service availability.

Because the vulnerability can be exploited remotely over the network without any user interaction, it poses a high risk of mass exploitation affecting many websites.

Mitigation Strategies

The vulnerability affects the WordPress Salon booking system Plugin versions 10.30.24 and below and allows attackers to bypass authorization and authentication mechanisms.

Immediate mitigation steps include updating the plugin to version 10.30.25 or later, where the issue has been patched.

Until the update can be applied, Patchstack provides a mitigation rule to block attacks targeting this vulnerability.

Compliance Impact

The vulnerability allows attackers to bypass authorization and authentication mechanisms, potentially accessing sensitive files, folders, or database interactions without proper permissions.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to inadequate access controls and potential data breaches.

Detection Guidance

The vulnerability is an Insecure Direct Object References (IDOR) flaw in the WordPress Salon booking system Plugin versions 10.30.24 and below, allowing unauthorized access to sensitive resources.

To detect this vulnerability on your system or network, you should check if the installed version of the Salon booking system plugin is 10.30.24 or lower, as these versions are vulnerable.

Since the vulnerability allows bypassing authorization and authentication, monitoring HTTP requests for unauthorized access attempts to sensitive endpoints related to the plugin could help detect exploitation attempts.

Patchstack provides a mitigation rule to block attacks until the plugin is updated, which can be used as a temporary detection and prevention measure.

No specific detection commands or scripts are provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40768. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart