CVE-2026-15070

wordpresschef · Salon Booking System – Free Version

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), potentially allowing unauthorized administrative actions.

Executive summary

A Cross-Site Request Forgery (CSRF) vulnerability in the Salon Booking System plugin allows attackers to perform unauthorized actions on behalf of authenticated administrators.

Vulnerability

The plugin is susceptible to CSRF (CWE-352), where an attacker can trick an authenticated administrator into executing unintended actions. This is achieved by inducing the victim to visit a malicious site or link, subsequently triggering unauthorized requests to the plugin's settings or booking functions.

Business impact

The CVSS score of 8.8 reflects the high risk posed by this vulnerability, as it can lead to full administrative control over the plugin’s settings. An attacker could modify booking configurations, delete data, or manipulate site settings, resulting in significant business disruption and potential loss of customer trust.

Remediation

Immediate Action: Update the Salon Booking System – Free Version plugin to the latest version that includes necessary anti-CSRF token validation.

Proactive Monitoring: Monitor site traffic and administrative logs for suspicious modifications to booking settings or unusual administrative activity performed during non-working hours.

Compensating Controls: Ensure that administrators are logged out of the WordPress dashboard when browsing other sites and utilize browser extensions that mitigate CSRF risks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability represents a significant risk to the integrity of your booking data. We strongly recommend updating the plugin immediately and reviewing current plugin settings to ensure no unauthorized changes have already occurred.