CVE-2024-4468: Salon booking system <= 9.9 - Missing Authorization
First published: Sat Jun 08 2024(Updated: )
The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Salon Booking System WordPress Plugin | <10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8b73f864-68b5-4ba8-93a3-37f2564cc240?source=cve
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L12
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L16
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L231
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L7
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L10
- https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L16
- https://plugins.trac.wordpress.org/changeset/3098413/salon-booking-system/trunk/src/SLN/Admin/Tools.php
- https://plugins.trac.wordpress.org/changeset/3098413/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php
Frequently Asked Questions
What is the severity of CVE-2024-4468?
CVE-2024-4468 is classified as a high severity vulnerability due to its potential for unauthorized access and data modification.
How do I fix CVE-2024-4468?
To fix CVE-2024-4468, upgrade the Salon Booking System plugin to version 10.0 or later.
Who is affected by CVE-2024-4468?
All versions of the Salon Booking System plugin for WordPress up to and including 9.9 are affected by CVE-2024-4468.
What actions can an attacker perform due to CVE-2024-4468?
An attacker can gain unauthorized access and modify data in the Salon Booking System plugin due to a missing capability check.
When was CVE-2024-4468 disclosed?
CVE-2024-4468 was disclosed recently, with organizations encouraged to address it promptly to prevent exploitation.
- agent/references
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/weakness
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- agent/source
- vendor/salonbookingsystem
- canonical/salon booking system wordpress plugin