CVE-2025-31560 HIGH

CVE-2025-31560: WordPress Salon booking system plugin < 10.15 - Privilege Escalation vulnerability

Vendor Dimitri Grassi
Product Salon booking system
Weakness CWE-266
Published April 1, 2025
Last update April 28, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect Privilege Assignment vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Privilege Escalation.This issue affects Salon booking system: from n/a through < 10.15.

Explanation of Vulnerability in Simple Terms

02Summary

The Salon booking system contains an improper access control vulnerability affecting versions up to 10.15. An authenticated administrator can read, modify, or delete sensitive data and system settings without proper authorization checks. The vulnerability requires high-level privileges to exploit but grants unrestricted access to confidential information and system integrity.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data and system settings with administrator access.

Potential impact on your site

04Site Impact

Administrators can access and alter data beyond their intended scope, risking data breaches and system misconfiguration.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level credentials for the Salon booking system.

Key dates

06Disclosure timeline

April 1, 2025 CVE published
April 28, 2026 Record updated