Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable stored XSS storable without privileges via a public booking form, but requiring an admin to view the payload (UI:R), with script executing in the victim's context (S:C) for limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.44.
AnalysisAI
Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can get input persisted through a Hydra Booking form/field that is later rendered without output encoding, and - per UI:R in the CVSS vector - it requires a victim (typically a logged-in administrator or staff member) to view the page containing the stored payload before the script fires; the payload does not self-trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, 7.1 High) indicates a network-reachable, low-complexity issue that needs no privileges but does require user interaction, with a scope change reflecting that injected script executes in a different security context (the viewing user's authenticated session). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a booking or form entry containing a crafted JavaScript payload in a field that Hydra Booking stores without sanitizing. When a site administrator later opens the bookings view in wp-admin, the stored script executes in their authenticated session, allowing cookie/session theft or actions performed in the admin context. … |
| Remediation | No vendor-released patch version is identified in the provided data, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-44-cross-site-scripting-xss-vulnerability?_s_id=cve) and upgrade to the first release published after 1.1.44 as soon as it is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations running Themefic Hydra Booking plugin version 1.1.44 or earlier and review admin access logs and session activity for signs of exploitation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Hydra Booking
View allBroken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated at
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43461