Primary

Context

Hydra Booking WordPress Plugin Unauthenticated Arbitrary Booking Cancellation Vulnerability

Vulnerability

A vulnerability exists in the Hydra Booking WordPress plugin, specifically in the Appointment Scheduling & Booking Calendar component, all versions through 1.1.27. The issue allows unauthenticated users to cancel bookings arbitrarily. This vulnerability arises because the plugin's booking cancellation tokens are generated using insufficiently random values, coupled with a globally shared nonce. As a result, attackers can exploit this weakness by conducting brute force attacks on the tfhb_meeting_form_cencel AJAX endpoint to cancel bookings.

Impact

Exploitation of this vulnerability allows for unauthorized cancellation of bookings, potentially disrupting scheduled appointments and causing inconvenience to users and service providers.

Remediation

Users can update to version 1.1.28 or a newer patched version to address this vulnerability.

Added: Nov 11, 2025, 11:20 AM

Updated: Nov 11, 2025, 11:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hydra Booking WordPress Plugin Unauthenticated Arbitrary Booking Cancellation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating