Skip to main content
CVE Vulnerability Database

CVE-2025-8492: WordPress Salon Booking Auth Bypass Flaw

CVE-2025-8492 is an authentication bypass vulnerability in the Salon Booking System plugin for WordPress that allows unauthenticated attackers to modify data and upload files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-8492 Overview

The Salon Booking System plugin for WordPress contains a missing authorization vulnerability in its AJAX handler. The flaw affects all plugin versions up to and including 10.22. Unauthenticated attackers can invoke AJAX actions that should require authentication, including a limited file upload action exposed by SLN/Action/Ajax/UploadFile.php. The root cause is the absence of a capability check on the AJAX endpoint, tracked as [CWE-862] Missing Authorization. The plugin is used for appointment scheduling in salons, spas, and small businesses, and installations exposing the vulnerable AJAX handler are reachable over the network without credentials.

Critical Impact

Unauthenticated attackers can trigger AJAX actions and perform limited file uploads against affected WordPress sites.

Affected Products

  • Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress
  • All versions up to and including 10.22
  • WordPress sites with the vulnerable AJAX handler registered in SLN/Plugin.php

Discovery Timeline

  • 2025-09-11 - CVE-2025-8492 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8492

Vulnerability Analysis

The Salon Booking System plugin registers AJAX actions in SLN/Plugin.php and dispatches file upload requests to SLN/Action/Ajax/UploadFile.php. The handler processes incoming requests without validating that the caller possesses the required WordPress capability. Because WordPress exposes AJAX endpoints through admin-ajax.php for both authenticated and unauthenticated users when wp_ajax_nopriv_ hooks are registered, the missing check allows any network client to invoke the action. The result is unauthorized data modification and limited file upload capability on the target site. The vulnerability is classified as [CWE-862] Missing Authorization and is reachable from the network without user interaction.

Root Cause

The root cause is the absence of a current_user_can() or equivalent capability check inside the AJAX handler. The upstream fix in changeset 3360651 modified SLN/Action/Ajax/UploadFile.php to enforce authorization before processing uploads. Prior to this fix, the plugin trusted the request context rather than the caller identity.

Attack Vector

An attacker sends crafted HTTP POST requests to wp-admin/admin-ajax.php targeting the registered plugin action. No authentication or user interaction is required. The upload path allows limited file writes, which can be used to stage further attacks or modify site data. For technical specifics, see the WordPress Plugin Source Code, the WordPress Plugin Change Log, and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-8492

Indicators of Compromise

  • Unauthenticated POST requests to wp-admin/admin-ajax.php referencing Salon Booking System actions.
  • Unexpected files written under the plugin's upload directory or WordPress uploads folder.
  • Web server access logs showing repeated AJAX action invocations from a single IP without a valid WordPress session cookie.

Detection Strategies

  • Inspect access logs for admin-ajax.php requests carrying action parameters associated with the Salon Booking System plugin from unauthenticated sources.
  • Monitor filesystem writes to WordPress upload directories for unexpected file types or names.
  • Compare installed plugin version against 10.22 and flag any site running a vulnerable version.

Monitoring Recommendations

  • Enable WordPress audit logging to record plugin AJAX action invocations and file operations.
  • Alert on new file creation in wp-content/uploads/ outside expected media uploads.
  • Track EPSS scoring changes for CVE-2025-8492 to detect rising exploitation interest.

How to Mitigate CVE-2025-8492

Immediate Actions Required

  • Update the Salon Booking System plugin to a version later than 10.22 that includes changeset 3360651.
  • Audit the WordPress uploads directory and plugin folders for unexpected files placed after the plugin was installed.
  • Restrict access to wp-admin/admin-ajax.php at the WAF layer for unauthenticated requests where feasible.

Patch Information

The vendor addressed the issue in changeset 3360651, which adds authorization enforcement to SLN/Action/Ajax/UploadFile.php. Administrators should upgrade to the fixed release published on the WordPress plugin repository and confirm the plugin version reported in the WordPress admin dashboard matches or exceeds the patched build.

Workarounds

  • Deactivate and remove the Salon Booking System plugin until an updated version is applied.
  • Deploy web application firewall rules that block unauthenticated POST requests targeting Salon Booking System AJAX actions.
  • Restrict access to admin-ajax.php by IP allowlist where the site does not require public AJAX endpoints.
bash
# Configuration example - block unauthenticated Salon Booking System AJAX actions at the web server
# nginx example
location = /wp-admin/admin-ajax.php {
    if ($arg_action ~* "^sln_") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.