CVE-2025-8492: 
WordPress vulnerability analysis and mitigation

The Salon Booking System WordPress plugin (versions up to 10.20) contains a vulnerability identified as CVE-2025-8492. This security flaw stems from a missing capability check on the ajax function, which allows unauthenticated attackers to execute AJAX actions, including limited file uploads. The vulnerability was discovered and disclosed on September 11, 2025 (NVD).

The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The security issue is categorized as CWE-862 (Missing Authorization). The vulnerability specifically affects the ajax function implementation in the plugin, where the absence of proper capability checks enables unauthorized access to AJAX actions (NVD).

When exploited, this vulnerability allows unauthenticated attackers to perform unauthorized modification of data through AJAX actions. The impact includes the ability to execute limited file uploads, potentially compromising the integrity of the affected WordPress installations (NVD).

Users of the Salon Booking System WordPress plugin should upgrade to a version newer than 10.20 once available. The vulnerability affects all versions up to and including 10.20 (NVD).