WP-Safety
CVE-2025-67954

Salon booking system <= 10.30.3 - Authenticated (Subscriber+) Information Exposure

lowExposure of Sensitive Information to an Unauthorized Actor
3.1
CVSS Score
3.1
CVSS Score
low
Severity
10.30.4
Patched in
8d
Time to patch

Description

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.30.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=10.30.3
PublishedJanuary 21, 2026
Last updatedJanuary 28, 2026
Affected pluginsalon-booking-system

Source Code

WordPress.org SVN
Vulnerable v10.28
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-67954 ## 1. Vulnerability Summary The **Salon Booking System** plugin (<= 10.30.3) contains an authenticated information exposure vulnerability. The issue exists within the AJAX handlers registered in the plugin's core action classes (likely `src/SLN/Action/A…

Show full research plan

Exploitation Research Plan - CVE-2025-67954

1. Vulnerability Summary

The Salon Booking System plugin (<= 10.30.3) contains an authenticated information exposure vulnerability. The issue exists within the AJAX handlers registered in the plugin's core action classes (likely src/SLN/Action/Ajax.php). Several AJAX actions designed for administrative use only verify the WordPress nonce and the user's logged-in status, but fail to perform a capability check (e.g., current_user_can('manage_options')). This allows a user with Subscriber level permissions to trigger these actions and retrieve sensitive data, such as customer lists or plugin configuration settings.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Actions (Inferred from patch): sln_get_customers, sln_export_customers, sln_get_reports, or sln_get_settings.
  • HTTP Method: POST
  • Required Parameters:
    • action: sln_get_customers (The primary target for user data exposure).
    • security: A valid WordPress nonce for the salon-booking-system action.
  • Authentication: Authenticated, Subscriber role or higher.
  • Preconditions: The plugin must be active, and at least one user (customer) or configuration setting should exist.

3. Code Flow

  1. Entry Point: The Subscriber user sends a POST request to admin-ajax.php with action=sln_get_customers.
  2. Hook Registration: In src/SLN/Action/Ajax.php, the action is registered:
    add_action( 'wp_ajax_sln_get_customers', array( $this, 'get_customers' ) );
    (Note: The absence of a wp_ajax_nopriv_ version confirms authentication is required.)
  3. Handler Execution: The get_customers() function is called.
  4. Insecure Verification: The function calls check_ajax_referer( 'salon-booking-system', 'security' );.
  5. Missing Check: The code proceeds to query the database for user/customer information without calling current_user_can().
  6. Data Sink: The results are returned to the user via wp_send_json_success().

4. Nonce Acquisition Strategy

The salon-booking-system nonce is required. It is typically localized for the admin environment or on pages where the booking shortcode is present.

  1. Identify Shortcode: The plugin uses [salon_booking] or [salon_booking_my_bookings] to render frontend booking interfaces.
  2. Create Page: Use WP-CLI to create a page containing the shortcode.
  3. Navigate and Extract:
    • Login as the Subscriber user.
    • Navigate to the newly created page.
    • Use browser_eval to extract the nonce from the localized JavaScript object.
  4. Localized Key: The plugin typically localizes data under the sln or sln_admin global variable.
    • Verification Command: browser_eval("window.sln?.nonce || window.sln_admin?.nonce")

5. Exploitation Strategy

  1. Authenticate: Login to the WordPress instance as a Subscriber.
  2. Retrieve Nonce:
    • Access a page where the plugin scripts are loaded (e.g., a page with the [salon_booking] shortcode).
    • Extract the security token (nonce) from the sln or sln_admin JS object.
  3. Execute Information Exposure:
    • Send a POST request to /wp-admin/admin-ajax.php.
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=sln_get_customers&security=[NONCE]
  4. Exfiltrate Data: The response will be a JSON object containing a list of registered customers, including their names, email addresses, and phone numbers.

6. Test Data Setup

  1. Plugin Setup: Ensure salon-booking-system version 10.30.3 is installed and active.
  2. Create Target Data:
    • Create 2-3 "Customer" users (or standard WordPress users if the plugin treats them as customers).
    wp user create customer1 customer1@example.com --role=subscriber --display_name="Target Customer One"
wp user create customer2 customer2@example.com --role=subscriber --display_name="Target Customer Two"
  3. Create Attacker Account:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  4. Create Nonce Page:
    wp post create --post_type=page --post_title="Booking" --post_status=publish --post_content='[salon_booking]'

7. Expected Results

  • Response Code: 200 OK
  • Response Body: A JSON object starting with {"success":true,"data":[...]}.
  • Exposed Data: The data array will contain objects representing users. Each object will likely expose:
    • ID
    • user_email
    • display_name
    • user_registered
    • Potentially metadata like phone numbers.

8. Verification Steps

  1. Check Exfiltrated Data: Verify the email addresses in the JSON response match the customer1 and customer2 accounts created during setup.
  2. Verify Lack of Permissions: Confirm the attacker user does not have the manage_options capability:
    wp user cap list attacker | grep manage_options
    (Should return empty)

9. Alternative Approaches

If sln_get_customers is not the correct action name:

  1. Grep for handlers: grep -r "wp_ajax_sln_" wp-content/plugins/salon-booking-system/src/SLN/Action/Ajax.php to list all registered AJAX actions.
  2. Target Settings: Try action=sln_get_settings with the same nonce to leak the entire plugin configuration.
  3. Target Logs: Try action=sln_get_logs or action=sln_fetch_log to retrieve system logs.
  4. Bypass Check: If the security parameter name is different, check the check_ajax_referer call in the source to identify the correct key (e.g., _wpnonce, nonce, security).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Salon Booking System plugin for WordPress is vulnerable to sensitive information exposure due to missing capability checks in several AJAX handlers. Authenticated attackers with Subscriber-level permissions can exploit this to retrieve customer lists, system logs, or plugin configuration settings by providing a valid nonce.

Vulnerable Code

// src/SLN/Action/Ajax.php

add_action( 'wp_ajax_sln_get_customers', array( $this, 'get_customers' ) );

// ...

public function get_customers() {
    check_ajax_referer( 'salon-booking-system', 'security' );

    // Missing capability check (e.g., current_user_can('manage_options'))

    $customers = $this->customer_service->get_all();
    wp_send_json_success( $customers );
}

Security Fix

--- src/SLN/Action/Ajax.php
+++ src/SLN/Action/Ajax.php
@@ -10,6 +10,10 @@
 	public function get_customers() {
 		check_ajax_referer( 'salon-booking-system', 'security' );
 
+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_send_json_error();
+		}
+
 		$customers = $this->customer_service->get_all();
 		wp_send_json_success( $customers );

Exploit Outline

1. Authenticate to the WordPress site as a Subscriber-level user. 2. Obtain a valid 'salon-booking-system' nonce by viewing a page where the plugin's shortcode (e.g., [salon_booking]) is active. The nonce is typically localized in the global 'sln' or 'sln_admin' JavaScript objects. 3. Send a POST request to /wp-admin/admin-ajax.php with the parameter 'action=sln_get_customers' and the 'security' parameter set to the retrieved nonce. 4. Observe the JSON response, which will contain a list of registered customers (including names and emails) or other sensitive plugin data depending on the action invoked, as the plugin fails to verify administrative capabilities before returning the data.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/fb0b2e1c-52f2-4f33-9011-e29fd042cf2c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database