Skip to main content

Hydra Booking

3 CVEs product

Monthly

CVE-2026-57388 HIGH This Week

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.

XSS Hydra Booking
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-42675 HIGH This Week

Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Hydra Booking
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-39541 MEDIUM This Month

Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.

XSS Hydra Booking
NVD
CVSS 3.1
5.9
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.

XSS Hydra Booking
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Broken access control in Themefic Hydra Booking WordPress plugin through version 1.1.41 allows remote unauthenticated attackers to access functionality that should be restricted by authorization checks. The flaw stems from missing authorization (CWE-862) on plugin endpoints, with CVSS 7.3 reflecting low impact across confidentiality, integrity, and availability without requiring privileges or user interaction. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Hydra Booking
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.

XSS Hydra Booking
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy