Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-11887— Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass

AI Predicted 6.5 Difficulty: Easy EPSS 0.18% · P7

Possible ATT&CK Techniques 1AI

T1548.002 · Bypass User Account Control

Affected Version Matrix 1

VendorProductVersion RangeStatus
UnknownSalon Booking System< 10.30.20affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-11887

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress Salon Booking System 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dimitri Grassi Salon booking system是意大利Dimitri Grassi个人开发者的一个理发店预约系统。 WordPress Salon Booking System 10.30.20之前版本存在授权问题漏洞,该漏洞源于对某AJAX操作的授权检查不当,可能导致任何已认证用户(如订阅者)修改设置并绕过新预订的手动审批。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
UnknownSalon Booking System 0 ~ 10.30.20 -

II. Public POCs for CVE-2026-11887

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-11887

登录查看更多情报信息。

Vendor Advisories for CVE-2026-11887 (1)

Same Patch Batch · Unknown · 2026-07-01 · 8 CVEs total

CVE-2026-11880Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR
CVE-2026-11883WebAuthn Provider for Two Factor < 2.5.6 - 2FA Bypass
CVE-2026-11568Product Configurator for WooCommerce < 1.7.3 - Unauthenticated Private/Draft Product Data
CVE-2026-11562WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update
CVE-2026-11570User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name
CVE-2026-11794Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Fo
CVE-2026-10750Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools

IV. Related Vulnerabilities

V. Comments for CVE-2026-11887

No comments yet


Leave a comment