Skip to main content

Hydra Booking Appointment Scheduling Booking Calendar

1 CVEs product

Monthly

CVE-2026-12433 MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
EPSS 0% CVSS 4.3
MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy