feetfirst

Hi salonbooking,

My reply to you was placed in moderation by this WordPress forum. So, unfortunately you won’t have seen it and I know you will want to help.

In summary, I am using the latest version of salon booking 3.40. This is the free plug-in installed last week.

I am also using the latest version of WP 5.4.2 with Jetpak.

I have just checked site health and my site passes all tests. Everything is 100% up to date and healthy.

The issue is that somehow, someone is able to create a “fake booking” in a way that the system does not allow on the booking screen front end or in the backend as an administator.

For example the fake booking I flagged yesterday is for no service selected, whereas this is a mandatory field on the booking form.

Thanks for looking into this.

Ps: If you need more info, pls let me know!

Hi salonbooking,

Thanks for coming back regarding this potential vulnerability in your plug-in.

I am using the latest version of salon booking 3.40. This is the free plug-in installed last week.

I am also using the latest version of WP 5.4.2 with Jetpak.

I have just checked site health and my site passes all tests. Everything is 100% up to date and healthy.

The issue is that somehow, someone is able to create a “fake booking” in a way that the system does not allow on the booking screen front end or in the backend as an administator.

For example the fake booking is for no service selected, whereas this is a mandatory field on the booking form.

I am really worried that someone has hacked the plug-in and potentially my site!

There would be no value for the hacker, if this is what has happened, because I do not take payment at the time of booking nor do I allow clients to create an account through the website.

The only page active for use through the plug-in is https://feetfirstreflexology.org/booking/

Please help me to understand what is happening here, whether this is a security risk and what I/you should do next to fix this issue.

Thanks and regards,

Feetfirst