CVE-2025-47583

Vulnerability

Overview

The Salon booking system plugin for WordPress (versions up to and including 10.16) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from missing or insufficient CSRF token validation on certain administrative actions, enabling an attacker to trick a logged-in administrator into unknowingly executing unwanted operations [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must craft a malicious link, form, or webpage that triggers a state-changing request. The victim must be a privileged user (e.g., administrator) currently authenticated to the WordPress site and must interact with the crafted content—for example, by clicking a link or submitting a form. No additional privileges are required on the attacker's part, and the attack can be delivered via email, social media, or other channels [1].

Impact

Successful exploitation allows the attacker to force the victim to perform arbitrary actions under their current session. In this specific case, the CSRF can be leveraged to delete arbitrary content (such as posts, pages, or bookings) from the WordPress site. This could lead to data loss, service disruption, or defacement, depending on the content deleted [1].

Mitigation

The vulnerability has been addressed in version 10.17 of the plugin. Users are strongly advised to update to this version or later immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is currently available, and given the potential for mass exploitation, prompt updating is critical [1].