CVE-2024-4468
EUVD-2024-4408308.06.2024, 08:15
The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| salonbookingsystem | salon_booking_system | 𝑥 < 10.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-280 - Improper Handling of Insufficient Permissions or PrivilegesThe application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.
References