Description
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary booking cancellation
Action: Immediate Patch
AI Analysis

Impact

The Hydra Booking plugin contains a weakness corresponding to CWE‑330, where the token used to cancel a booking is generated from insufficiently random values and shared across all users. This flaw allows an attacker who is not logged in to guess or brute force a valid token and trick the system into canceling an existing booking without authorization. The direct consequence is loss of service and potential business disruption if critical appointments are canceled.

Affected Systems

WordPress sites that have the Hydra Booking plugin at version 1.1.27 or earlier. The vulnerability applies to all installations regardless of other plugins or themes because the flaw is inherent to the plugin's core cancellation logic.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of automated exploitation. The flaw is not listed in CISA's KEV catalog, pointing to limited known exploitation. Attackers would need to repeatedly attempt to guess the cancellation token via the public AJAX endpoint, which may take a significant amount of time given the token weak randomness. Despite this, once a valid token is discovered the attacker can cancel any booking belonging to any user.

Generated by OpenCVE AI on April 22, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hydra Booking plugin to version 1.1.28 or later to apply the vendor‑supplied fix for the weak token generation.
  • Restrict access to the tfhb_meeting_form_cencel AJAX endpoint so that only authenticated users or trusted IP addresses can invoke it, thereby preventing unauthenticated token brute‑force attempts.
  • Deploy a web‑application firewall or rate‑limit rule to block repeated requests to the cancellation endpoint, mitigating brute‑force exploitation and reducing the chance of token discovery.

Generated by OpenCVE AI on April 22, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress
Vendors & Products Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.
Title Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation
Weaknesses CWE-330
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Themefic Hydra Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:23.131Z

Reserved: 2025-11-05T23:23:11.777Z

Link: CVE-2025-12787

cve-icon Vulnrichment

Updated: 2025-11-14T15:24:04.618Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T11:15:34.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:08Z

Weaknesses