CVE-2026-40768: WordPress Salon booking system plugin <= 10.30.24 - Insecure Direct Object References (IDOR) vulnerability
Unauthenticated Insecure Direct Object References (IDOR) in Salon booking system <= 10.30.24 versions.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An Insecure Direct Object Reference (IDOR) vulnerability affects the Salon booking system WordPress plugin at version 10.30.24 and earlier. The flaw is reachable over the network without any authentication, meaning any internet user can send crafted requests directly to the plugin's endpoints. Successful exploitation gives an attacker limited read access, limited write access, and limited ability to disrupt the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-40768 is available across every HarborGuard environment. The CVE is ingested from upstream feeds including the Patchstack advisory feed within minutes of publication and matched against customer images, including custom-built WordPress images carrying the Salon booking system plugin.
AvailableHarborGuard scores this CVE at 7.3 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency. Triage alerts are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published upstream as of the CVE publication date. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released by the maintainer. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS from any internet-accessible location.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by any unauthenticated HTTP request.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is executed entirely by the attacker against the server.
- Attack complexityDetail
Exploitation is straightforward and condition-free, requiring no race conditions, special memory layout, or environmental setup.
Blast Radius
- Reads booking records, customer names, appointment details, or other data objects the plugin manages by enumerating predictable object identifiers.
- Modifies or overwrites booking records or plugin-managed data objects belonging to other users.
- Causes limited disruption to the booking service, such as canceling or corrupting reservations.
How HarborGuard Handles This
Available on HarborGuard: the CVE is matched against scanned images on every ingest cycle, covering any container image that bundles the Salon booking system WordPress plugin at version 10.30.24 or earlier. Because no upstream fix version exists yet, HarborGuard monitors the Patchstack advisory and the plugin's release channel continuously. As compensating controls while no patch is available, customers can consider restricting public network access to the affected WordPress endpoints via network policy or a web application firewall rule that blocks unauthenticated requests to the plugin's object-reference endpoints. For customers with auto-remediation enabled, a patched-image rebuild will be triggered automatically as soon as an upstream fix is published, followed by a regression test run and a PR opened against affected workloads.
- Dimitri Grassi / Salon booking system≤ 10.30.24
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L