Skip to main content

Hydra Booking EUVDEUVD-2026-43461

| CVE-2026-57388 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable stored XSS storable without privileges via a public booking form, but requiring an admin to view the payload (UI:R), with script executing in the victim's context (S:C) for limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:02 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.44.

AnalysisAI

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit booking with malicious script payload
Delivery
Payload stored unsanitized by Hydra Booking
Exploit
Admin opens bookings view in wp-admin
Execution
Script executes in admin session
Impact
Steal session or act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can get input persisted through a Hydra Booking form/field that is later rendered without output encoding, and - per UI:R in the CVSS vector - it requires a victim (typically a logged-in administrator or staff member) to view the page containing the stored payload before the script fires; the payload does not self-trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1 High) indicates a network-reachable, low-complexity issue that needs no privileges but does require user interaction, with a scope change reflecting that injected script executes in a different security context (the viewing user's authenticated session). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a booking or form entry containing a crafted JavaScript payload in a field that Hydra Booking stores without sanitizing. When a site administrator later opens the bookings view in wp-admin, the stored script executes in their authenticated session, allowing cookie/session theft or actions performed in the admin context. …
Remediation No vendor-released patch version is identified in the provided data, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-44-cross-site-scripting-xss-vulnerability?_s_id=cve) and upgrade to the first release published after 1.1.44 as soon as it is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress installations running Themefic Hydra Booking plugin version 1.1.44 or earlier and review admin access logs and session activity for signs of exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy