Skip to main content

Hydra Booking CVE-2026-39541

| EUVDEUVD-2026-20195 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-26j4-477q-gv33
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20195
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 5.9

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38.

AnalysisAI

Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.

Technical ContextAI

Hydra Booking is a WordPress plugin for managing booking functionality. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic stored XSS flaw where user-supplied input is stored in the database and later rendered in web pages without proper sanitization or encoding. The plugin fails to properly escape or neutralize malicious script content when displaying booking-related data, allowing persistent payload injection. Affected across the entire product lineage from initial release through version 1.1.38 (CPE: cpe:2.3:a:themefic:hydra_booking:*:*:*:*:*:*:*:*).

RemediationAI

Upgrade Themefic Hydra Booking to a version later than 1.1.38. Users should access their WordPress plugin management dashboard, navigate to the Hydra Booking plugin, and apply available updates immediately. If a patched version has been released by Themefic beyond 1.1.38, install it directly; consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-38-cross-site-scripting-xss-vulnerability?_s_id=cve) for the latest available version. As a temporary mitigation pending patching, restrict booking management permissions to only trusted administrators and review booking records for suspicious script content. Ensure all users who interact with the booking system are aware of the vulnerability.

Share

CVE-2026-39541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy