Back to overview

CVE-2026-11887

MEDIUM Exploitation: PoC
4.3
CVSS 3.1
Description
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.

Metadata

CVE ID
CVE-2026-11887
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-10 14:21 UTC
Published
2026-07-01 06:00 UTC
Last updated
2026-07-01 10:16 UTC
Vendor / Product
Unknown / Salon Booking System
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Unknown Salon Booking System 0 < 10.30.20
Weakness (CWE)
CWESourceDescription
cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 adp CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Back to overview