CVE-2026-15070
wordpresschef · Salon Booking System – Free Version
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized administrative actions.
Executive summary
A Cross-Site Request Forgery (CSRF) vulnerability in the Salon Booking System plugin allows attackers to perform unauthorized actions on behalf of authenticated administrators.
Vulnerability
The plugin is susceptible to CSRF (CWE-352), where an attacker can trick an authenticated administrator into executing unintended actions. This is achieved by inducing the victim to visit a malicious site or link, subsequently triggering unauthorized requests to the plugin's settings or booking functions.
Business impact
The CVSS score of 8.8 reflects the high risk posed by this vulnerability, as it can lead to full administrative control over the plugin’s settings. An attacker could modify booking configurations, delete data, or manipulate site settings, resulting in significant business disruption and potential loss of customer trust.
Remediation
Immediate Action: Update the Salon Booking System – Free Version plugin to the latest version that includes necessary anti-CSRF token validation.
Proactive Monitoring: Monitor site traffic and administrative logs for suspicious modifications to booking settings or unusual administrative activity performed during non-working hours.
Compensating Controls: Ensure that administrators are logged out of the WordPress dashboard when browsing other sites and utilize browser extensions that mitigate CSRF risks.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability represents a significant risk to the integrity of your booking data. We strongly recommend updating the plugin immediately and reviewing current plugin settings to ensure no unauthorized changes have already occurred.