Headline
CVE-2023-3427: Changeset 2931406 for salon-booking-system – WordPress Plugin Repository
The Salon Booking System plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.6. This is due to missing or incorrect nonce validation on the ‘save_customer’ function. This makes it possible for unauthenticated attackers to change the admin role to customer or change the user meta to arbitrary values via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
06/27/2023 11:32:24 AM (15 hours ago)
wordpresschef
Message:
Update trunk - version 8.4.8
Location:
salon-booking-system/trunk
Files:
- readme.txt (2 diffs)
- salon.php (2 diffs)
- src/SLN/Admin/Customers.php (1 diff)
- views/admin/_customer.php (1 diff)
Legend:
Unmodified
Added
Removed
salon-booking-system/trunk/readme.txt
r2931279
r2931406
5
5
Tested up to: 6.1
6
6
Requires PHP: 7.4.8
7
Stable tag: 8.4.7
7
Stable tag: 8.4.8
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
344
344
\== Changelog ==
345
345
346
27.06.2023
347
348
\* Fix vulnerability issue
349
346
350
23.06.2023
347
351
salon-booking-system/trunk/salon.php
r2931279
r2931406
4
4
Plugin Name: Salon Booking Wordpress Plugin - Free Version
5
5
Description: Let your customers book you services through your website. Perfect for hairdressing salons, barber shops and beauty centers.
6
Version: 8.4.7
6
Version: 8.4.8
7
7
Plugin URI: http://salonbookingsystem.com/
8
8
Author: Salon Booking System
…
…
42
42
define('SLN\_PLUGIN\_DIR', untrailingslashit(dirname(\_\_FILE\_\_)));
43
43
define('SLN\_PLUGIN\_URL', untrailingslashit(plugins\_url('', \_\_FILE\_\_)));
44
define('SLN\_VERSION', '8.4.6');
44
define('SLN\_VERSION', '8.4.8');
45
45
define('SLN\_STORE\_URL', 'https://salonbookingsystem.com');
46
46
define('SLN\_AUTHOR', 'Salon Booking');
salon-booking-system/trunk/src/SLN/Admin/Customers.php
r2779160
r2931406
67
67
68
68
private function save\_customer($user\_id) {
69
check\_admin\_referer('sln\_update\_user\_'.$user\_id);
69
70
$customer = \[\];
70
71
$email = isset($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ? sanitize\_email( wp\_unslash($\_POST\['sln\_customer\_meta'\]\['\_sln\_email'\]) ) : false;
salon-booking-system/trunk/views/admin/_customer.php
r2920616
r2931406
28
28
29
29
<input type="hidden" name="id" id="id" value="<?php echo $customer->getId(); ?>">
30
<?php wp\_nonce\_field('sln\_update\_user\_'. ($customer->isEmpty() ? 0 : $customer->getId())); ?>
30
31
<div class="sln-box sln-box--main">
31
32
<div class="row">
Note: See TracChangeset for help on using the changeset viewer.