Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38.
AnalysisAI
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
Technical ContextAI
Hydra Booking is a WordPress plugin for managing booking functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied input is stored in the database and later rendered in web pages without proper sanitization or encoding. The plugin fails to properly escape or neutralize malicious script content when displaying booking-related data, allowing persistent payload injection. Affected across the entire product lineage from initial release through version 1.1.38 (CPE: cpe:2.3:a:themefic:hydra_booking:*:*:*:*:*:*:*:*).
RemediationAI
Upgrade Themefic Hydra Booking to a version later than 1.1.38. Users should access their WordPress plugin management dashboard, navigate to the Hydra Booking plugin, and apply available updates immediately. If a patched version has been released by Themefic beyond 1.1.38, install it directly; consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-38-cross-site-scripting-xss-vulnerability?_s_id=cve) for the latest available version. As a temporary mitigation pending patching, restrict booking management permissions to only trusted administrators and review booking records for suspicious script content. Ensure all users who interact with the booking system are aware of the vulnerability.
More in Hydra Booking
View allBroken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated at
Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20195
GHSA-26j4-477q-gv33