CVE-2026-40768 Dimitri Grassi CVE debrief

Who should care

Administrators and users of the Salon booking system plugin version 10.30.24 or earlier should be aware of this vulnerability and take necessary actions to secure their installations. Additionally, security teams and vulnerability managers should monitor this CVE for potential exploitation attempts.

Technical summary

The CVE-2026-40768 vulnerability is caused by an Unauthenticated Insecure Direct Object References (IDOR) issue in the Salon booking system plugin. This allows an attacker to access sensitive data without authentication, potentially leading to data breaches. The vulnerability has a CVSS score of 7.3 and is classified as HIGH severity. The affected plugin version is 10.30.24 or earlier.

Defensive priority

HIGH

Recommended defensive actions

• Update the Salon booking system plugin to a version that is not vulnerable.
• Implement authentication and authorization mechanisms to restrict access to sensitive data.
• Monitor the plugin's usage and logs for potential exploitation attempts.
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks.
• Regularly review and update the plugin to ensure it is patched and up-to-date.
• Limit access to the plugin's administrative interface to trusted users only.

Evidence notes

The information provided is based on the official CVE record and Patchstack's vulnerability report. The CVE was publicly disclosed on June 17, 2026, and the vulnerability has been confirmed by Patchstack. However, the vendor and product information is not fully verified, and the CVE record is still in the 'Deferred' status.

Official resources