Hydra Booking
Monthly
Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.
Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.
Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.