Platform
wordpress
Component
salon-booking-system
Fixed in
10.30.4
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Salon booking system. This vulnerability allows an attacker to execute unauthorized actions on behalf of an authenticated user. The issue affects versions from 0.0.0 up to and including 10.30.3, and a patch is available in version 10.30.4.
The CSRF vulnerability in Salon booking system allows an attacker to trick a logged-in user into performing actions they did not intend to. For example, an attacker could craft a malicious link or embed a hidden form on a website that, when visited by a legitimate user, would trigger actions like modifying appointments, changing user details, or even creating new accounts without the user's knowledge. The potential impact ranges from minor account modifications to significant data breaches and unauthorized administrative actions, depending on the privileges of the affected user.
This vulnerability is publicly disclosed and documented in CVE-2025-66531. While no active exploitation campaigns have been reported, the ease of exploiting CSRF vulnerabilities means it remains a potential risk. No KEV listing or EPSS score is currently available.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66531 is to upgrade the Salon booking system to version 10.30.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and requests. Implement strict Content Security Policy (CSP) headers to restrict the sources from which the browser can load resources. Regularly review and validate user input to prevent unexpected behavior.
Update to version 10.30.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66531 is a Cross-Site Request Forgery (CSRF) vulnerability in the Salon booking system plugin, allowing attackers to perform unauthorized actions on behalf of logged-in users.
You are affected if you are using Salon booking system versions 0.0.0 through 10.30.3. Upgrade to 10.30.4 to mitigate the risk.
Upgrade the Salon booking system plugin to version 10.30.4 or later. Consider implementing CSRF tokens and strict CSP headers as temporary workarounds.
No active exploitation campaigns have been reported, but the ease of CSRF exploitation means it remains a potential risk.
Refer to the official Salon booking system plugin documentation or website for the latest advisory and security updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.