CVE-2026-11887
Received Received - Intake

Unauthenticated Setting Modification in Salon Booking System WordPress Plugin

Vulnerability report for CVE-2026-11887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
salon_booking_system salon_booking_system to 10.30.20 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Salon Booking System plugin for WordPress, prior to version 10.30.20, contains a vulnerability that allows any authenticated user, including subscribers, to bypass the manual approval process for new bookings.

This happens because the plugin does not have proper authorization checks on one of its AJAX actions, which lets users modify a plugin setting to automatically confirm all new bookings.

The vulnerability is classified under OWASP A5 (Broken Access Control) and CWE-862 (Missing Authorization).

Impact Analysis

This vulnerability can impact you by allowing any authenticated user, even those with low-level permissions like subscribers, to bypass the manual approval process for new bookings.

As a result, unauthorized or unverified bookings could be automatically confirmed without proper oversight, potentially leading to misuse or abuse of the booking system.

Mitigation Strategies

To mitigate this vulnerability, you should update the Salon Booking System WordPress plugin to version 10.30.20 or later, where the issue has been fixed.

Until the update is applied, restrict authenticated user roles that can access the vulnerable AJAX action to prevent unauthorized modification of plugin settings and bypassing manual approval of new bookings.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart