Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Hydra Booking: from n/a through 1.1.41.
AnalysisAI
Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Hydra Booking is a WordPress appointment/booking plugin developed by Themefic (CPE cpe:2.3:a:themefic:hydra_booking) that exposes booking management features through WordPress REST API or AJAX endpoints. The root cause is CWE-862 (Missing Authorization), meaning one or more handlers fail to verify that the requesting user has the appropriate capability or role before performing a sensitive action. In WordPress plugin context, this typically manifests as missing current_user_can() checks, absent nonce verification combined with capability checks, or REST API permission_callback handlers that return true unconditionally - allowing access control security levels to be bypassed entirely.
RemediationAI
Patch available per vendor advisory - administrators should upgrade Hydra Booking to the next release above 1.1.41 as published on the WordPress plugin repository and confirmed via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-41-broken-access-control-vulnerability. If immediate patching is not possible, deactivate the Hydra Booking plugin entirely (which will disable booking functionality on the site), or place the WordPress admin-ajax.php and /wp-json/ endpoints associated with the plugin behind a Web Application Firewall rule that requires authentication for plugin-specific routes - note that overly broad WAF rules may break legitimate booking submissions from unauthenticated site visitors, so rule scoping must target the specific vulnerable handlers identified by Patchstack rather than the entire plugin namespace.
More in Hydra Booking
View allStored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33688
GHSA-84xg-w3h6-9m3g