CVE-2025-32295 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin Salon Booking Pro developed by wordpresschef. This vulnerability arises due to incorrectly configured access control security levels, allowing users with limited privileges (PR:L - privileges required: low) to perform actions or access resources beyond their authorized scope without requiring any user interaction (UI:N). The vulnerability does not impact confidentiality or availability but leads to a loss of integrity (I:L), meaning an attacker can modify or manipulate data or settings they should not have access to. The vulnerability affects versions up to 10.10.2, though the exact range is not fully specified (noted as "n/a" for affected versions). The attack vector is network-based (AV:N), meaning exploitation can occur remotely over the network without physical or local access. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating the vulnerability is newly disclosed and may require immediate attention from users of this plugin. The vulnerability's impact is limited to integrity compromise without direct confidentiality or availability impact, but it can still lead to unauthorized changes in booking data or configurations, potentially disrupting business operations or causing data inconsistencies.

For European organizations using the Salon Booking Pro WordPress plugin, this vulnerability poses a risk of unauthorized modification of booking information, schedules, or customer data integrity. Such unauthorized changes could lead to operational disruptions, customer dissatisfaction, and reputational damage, especially for small and medium-sized enterprises in the beauty and wellness sector relying on this plugin for appointment management. Although the vulnerability does not directly expose sensitive data or cause service outages, the integrity loss can undermine trust in the booking system and may indirectly affect compliance with data protection regulations like GDPR if manipulated data leads to erroneous personal data processing. The remote exploitability and low privilege requirement increase the risk of exploitation by insiders or external attackers who have gained limited access, emphasizing the need for strict access control and monitoring.

European organizations should immediately audit their WordPress installations to identify the presence of the Salon Booking Pro plugin and verify the version in use. Until an official patch is released, administrators should restrict access to the plugin’s administrative and configuration interfaces to trusted users only, employing role-based access controls and the principle of least privilege. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints can provide a temporary protective layer. Regularly monitoring logs for unusual activity related to booking modifications or unauthorized access attempts is critical. Organizations should also subscribe to vendor and security advisories for timely patch releases and apply updates promptly once available. Additionally, consider isolating the booking system from other critical infrastructure to limit potential lateral movement in case of exploitation.