Primary

Context

Hydra Booking WordPress Plugin Payment Verification Bypass Vulnerability

Vulnerability

A vulnerability exists in the Hydra Booking WordPress plugin, specifically in the Appointment Scheduling & Booking Calendar component, all versions through 1.1.27. The issue arises from the plugin's tfhb_meeting_paypal_payment_confirmation_callback function, which accepts client-controlled payment confirmation data without proper server-side verification via PayPal's API. This flaw allows unauthenticated attackers to bypass payment requirements and falsely confirm bookings as paid, without any actual payment being made.

Impact

Exploitation of this vulnerability allows for unauthorized payment confirmations, enabling attackers to manipulate booking statuses to 'paid' without completing a transaction.

Remediation

Users are advised to update the Hydra Booking WordPress plugin to version 1.1.28 or later.

Added: Nov 11, 2025, 11:19 AM

Updated: Nov 11, 2025, 11:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hydra Booking WordPress Plugin Payment Verification Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating