VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-42666

CVE-2026-42666

Description

Unauthenticated broken access control in Salon booking system <=10.30.25 allows attackers to perform privileged actions without authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated broken access control in Salon booking system <=10.30.25 allows attackers to perform privileged actions without authentication.

Vulnerability

The Salon booking system plugin for WordPress versions up to and including 10.30.25 contains an unauthenticated broken access control vulnerability. This means that certain functions lack proper authorization or nonce checks, allowing unauthenticated users to execute actions that should require higher privileges [1].

Exploitation

An attacker can exploit this vulnerability without any authentication or user interaction. By sending crafted requests to the vulnerable endpoints, an unauthenticated attacker can trigger privileged actions. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to perform actions reserved for higher-privileged users, potentially leading to unauthorized data access, modification, or other malicious activities. The exact impact depends on the specific broken access control functions, but it can result in complete compromise of the affected site [1].

Mitigation

The vulnerability is fixed in version 10.30.26 of the plugin. Users are strongly advised to update immediately. If unable to update, users should contact their hosting provider or web developer for assistance. Patchstack has issued a mitigation rule to block attacks until the update is applied [1].

References
  1. Broken Access Control in WordPress Salon booking system Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.