CVE-2025-66531
Description
Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in WordPress Salon booking system plugin allows attackers to force privileged users to execute unwanted actions.
Analysis
A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress Salon booking system plugin by Dimitri Grassi, affecting versions up to and including 10.30.3 [1]. This flaw allows an attacker to craft malicious requests that are executed by a privileged user without their knowledge.
Exploitation
Exploitation requires user interaction, where a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a form [1]. The attacker can initiate the CSRF attack from any website, leveraging the user's active session in the WordPress admin panel.
Impact
Successful exploitation enables an attacker to force the targeted user to perform unintended actions, such as modifying plugin settings or creating new bookings, under the user's current authentication [1]. This could lead to unauthorized changes within the Salon booking system.
Mitigation
The vulnerability has been patched in version 10.30.4. As an immediate action, update the plugin to the latest version [1]. Patchstack users can enable auto-updates for vulnerable plugins to mitigate this risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 10.30.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.