CVE-2022-0919: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2022-0919 affects the Salon booking system Free and Pro WordPress plugins versions before 7.6.3. The vulnerability was discovered by Huli from Cymetrics and was publicly disclosed on March 21, 2022. This security flaw is related to improper authorization in the booking search functionality (WPScan, NVD).

The vulnerability is classified as a Missing Authorization (CWE-862) issue with a CVSS v3.1 base score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability falls under the OWASP Top 10 category A5: Broken Access Control. The technical issue stems from the lack of proper authorization checks in the booking search functionality (WPScan).

The vulnerability allows unauthenticated users to search and retrieve sensitive information from booking records. The exposed data includes customers' full names, email addresses, and phone numbers. While the API initially only returns customer names, the search feature can be exploited to leak additional sensitive information through character-by-character enumeration (WPScan).

The vulnerability has been fixed in version 7.6.3 of both the Salon booking system Free and Pro plugins. Users are advised to update their installations to this version or later to protect against unauthorized access to booking information (WPScan).