Hydra Booking Appointment Scheduling Booking Calendar
Monthly
{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.
{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.