CVE-2026-11887
Received
Received - Intake
Unauthenticated Setting Modification in Salon Booking System WordPress Plugin
Vulnerability report for CVE-2026-11887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-01
Last updated on: 2026-07-01
Assigner: WPScan
Description
Description
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salon_booking_system | salon_booking_system | to 10.30.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |