CVE-2026-42666: WordPress Salon booking system plugin <= 10.30.25 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken access control vulnerability in the Salon booking system WordPress plugin versions 10.30.25 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote visitor can trigger it without holding an account. Successful exploitation allows an attacker to read confidential data from the affected installation. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image carrying an affected version of the Salon booking system plugin is flagged automatically.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 7.5 (HIGH) and weights it against each customer environment's compliance policy to prioritize alerting. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version of the plugin. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that upstream fix lands.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
- AuthenticationNot required
No account or session token is needed; the access control bypass is reachable by any unauthenticated request.
- Victim interactionNot required
The attacker does not need to trick or involve any user of the target site to exploit this vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and repeatable with no special timing, race conditions, or environmental prerequisites.
Blast Radius
- An attacker can read data that should be restricted by access controls, such as customer booking records, personal details, or other sensitive information stored by the plugin.
- Confidentiality impact is rated HIGH, meaning the full scope of protected data accessible through the vulnerable endpoint may be exposed in a single unauthenticated request.
- No integrity or availability impact is indicated, so the attacker cannot modify records or disrupt the service through this specific vector.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all scanned images that bundle the Salon booking system plugin at version 10.30.25 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment the vendor publishes a remediated version. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the specific WordPress REST API or admin routes exposed by the plugin, egress filtering to limit what the plugin can reach if exploited, and disabling the plugin entirely on any installation that does not require it. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically once an upstream patch version is available, with no manual intervention required.
- Dimitri Grassi / Salon booking system≤ 10.30.25
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N