Skip to main content

Hydra Booking EUVDEUVD-2026-33688

| CVE-2026-42675 HIGH
Missing Authorization (CWE-862)
2026-06-01 Patchstack GHSA-84xg-w3h6-9m3g
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 17:18 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Hydra Booking: from n/a through 1.1.41.

AnalysisAI

Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Hydra Booking is a WordPress appointment/booking plugin developed by Themefic (CPE cpe:2.3:a:themefic:hydra_booking) that exposes booking management features through WordPress REST API or AJAX endpoints. The root cause is CWE-862 (Missing Authorization), meaning one or more handlers fail to verify that the requesting user has the appropriate capability or role before performing a sensitive action. In WordPress plugin context, this typically manifests as missing current_user_can() checks, absent nonce verification combined with capability checks, or REST API permission_callback handlers that return true unconditionally - allowing access control security levels to be bypassed entirely.

RemediationAI

Patch available per vendor advisory - administrators should upgrade Hydra Booking to the next release above 1.1.41 as published on the WordPress plugin repository and confirmed via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-41-broken-access-control-vulnerability. If immediate patching is not possible, deactivate the Hydra Booking plugin entirely (which will disable booking functionality on the site), or place the WordPress admin-ajax.php and /wp-json/ endpoints associated with the plugin behind a Web Application Firewall rule that requires authentication for plugin-specific routes - note that overly broad WAF rules may break legitimate booking submissions from unauthenticated site visitors, so rule scoping must target the specific vulnerable handlers identified by Patchstack rather than the entire plugin namespace.

Share

EUVD-2026-33688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy