Description

WordPress Plugin Salon Booking System is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin Salon Booking System version 3.13.1 is vulnerable; prior versions may also be affected.

Remediation

Edit the source code to ensure that CSRF protection is implemented with Nonce-like mechanism or disable the plugin until a fix is available

References

https://www.pluginvulnerabilities.com/2017/06/27/cross-site-request-forgery-csrfsettings-change-vulnerability-in-salon-booking-system/

Related Vulnerabilities

WordPress Plugin Broadcast Live Video-Live Streaming:HTML5, WebRTC, HLS, RTSP, RTMP Multiple Vulnerabilities (4.27.4)

WordPress Plugin BuddyPress Multiple Security Bypass Vulnerabilities (7.2.1)

WordPress Plugin WebP Express Arbitrary File Disclosure (0.14.10)

WordPress Plugin Google Analytics Dashboard Plugin for WordPress by MonsterInsights 404 Error Page Cross-Site Scripting (3.2.4)

Rukovoditel Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2020-11812)

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update CSRF