CVE-2026-11887 PUBLISHED

Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass

Assigner: WPScan
Reserved: 10.06.2026 Published: 01.07.2026 Updated: 01.07.2026

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.

Product Status

Vendor Unknown
Product Salon Booking System
Versions Default: unaffected
  • affected from 0 to 10.30.20 (excl.)

Credits

  • kevin(@OPCIA) finder
  • WPScan coordinator

References

Problem Types

  • CWE-862 Missing Authorization CWE