Plateforme
wordpress
Composant
salon-booking-system
Corrigé dans
10.30.4
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Salon booking system. This vulnerability allows an attacker to execute unauthorized actions on behalf of an authenticated user. The issue affects versions from 0.0.0 up to and including 10.30.3, and a patch is available in version 10.30.4.
The CSRF vulnerability in Salon booking system allows an attacker to trick a logged-in user into performing actions they did not intend to. For example, an attacker could craft a malicious link or embed a hidden form on a website that, when visited by a legitimate user, would trigger actions like modifying appointments, changing user details, or even creating new accounts without the user's knowledge. The potential impact ranges from minor account modifications to significant data breaches and unauthorized administrative actions, depending on the privileges of the affected user.
This vulnerability is publicly disclosed and documented in CVE-2025-66531. While no active exploitation campaigns have been reported, the ease of exploiting CSRF vulnerabilities means it remains a potential risk. No KEV listing or EPSS score is currently available.
Websites utilizing the Salon booking system plugin, particularly those with shared hosting environments or those that haven't implemented robust security practices, are at increased risk. Users who frequently access the Salon booking system through untrusted links or websites are also vulnerable.
• wordpress / composer / npm:
grep -r 'salon-booking-system' /var/www/html/wp-content/plugins/
wp plugin list | grep salon-booking-system• generic web:
curl -I https://example.com/salon-booking-system/appointment/create | grep -i 'csrf-token'disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 6%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-66531 is to upgrade the Salon booking system to version 10.30.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and requests. Implement strict Content Security Policy (CSP) headers to restrict the sources from which the browser can load resources. Regularly review and validate user input to prevent unexpected behavior.
Mettre à jour vers la version 10.30.4, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66531 is a Cross-Site Request Forgery (CSRF) vulnerability in the Salon booking system plugin, allowing attackers to perform unauthorized actions on behalf of logged-in users.
You are affected if you are using Salon booking system versions 0.0.0 through 10.30.3. Upgrade to 10.30.4 to mitigate the risk.
Upgrade the Salon booking system plugin to version 10.30.4 or later. Consider implementing CSRF tokens and strict CSP headers as temporary workarounds.
No active exploitation campaigns have been reported, but the ease of CSRF exploitation means it remains a potential risk.
Refer to the official Salon booking system plugin documentation or website for the latest advisory and security updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.