5.4

CVE-2024-4468

EPSS 0.57%
Veröffentlicht 08.06.2024 08:15:08
Zuletzt bearbeitet 21.11.2024 09:42:53
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Salon booking system <= 9.9 - Missing Authorization

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.

Mögliche Gegenmaßnahme

Salon Booking System – Free Version: Update to version 10.0, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 13

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Salon Booking System – Free Version

Version *-9.9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Salonbookingsystem ≫ Salon Booking System SwPlatformwordpress Version < 10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.57%	0.678

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L10

Product

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L16

Product

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php#L7

Product

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L12

Product

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L16

Product

https://plugins.trac.wordpress.org/browser/salon-booking-system/trunk/src/SLN/Admin/Tools.php#L231

Product

https://plugins.trac.wordpress.org/changeset/3098413/salon-booking-system/trunk/src/SLB_Discount/Admin/ExportDiscountsCsv.php

Patch

https://plugins.trac.wordpress.org/changeset/3098413/salon-booking-system/trunk/src/SLN/Admin/Tools.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/8b73f864-68b5-4ba8-93a3-37f2564cc240?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8b73f864-68b5-4ba8-93a3-37f2564cc240

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-4468

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4468

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4468

EUVD