Description
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Payment Bypass
Action: Immediate Patch
AI Analysis

Impact

The Hydra Booking plugin for WordPress allows client‑controlled payment confirmation data to be accepted by the "tfhb_meeting_paypal_payment_confirmation_callback" function without server‑side verification against PayPal.

Affected Systems

The vulnerability affects the Themefic Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress versions up to and including 1.1.27. Users of older releases should verify their installed plugin version.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is below 1%, suggesting that exploitation is unlikely but still possible, especially if the site exposes the payment confirmation endpoint to the public. The flaw is not listed in CISA's KEV catalog, but its impact on financial transactions warrants caution. Attackers would likely trigger the callback by submitting forged data through the booking interface from any unauthenticated location.

Generated by OpenCVE AI on April 22, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hydra Booking plugin to version 1.1.28 or later to apply the vendor fix.
  • If an upgrade is not immediately feasible, modify the _tfhb_meeting_paypal_payment_confirmation_callback_ function to perform server‑side verification of PayPal responses using the PayPal API before accepting the confirmation.
  • Restrict access to the payment confirmation endpoint so that only authenticated or signed requests from PayPal can reach it, for example by adding a secret key or IP whitelist.

Generated by OpenCVE AI on April 22, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress
Vendors & Products Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring.
Title Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Themefic Hydra Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:59.618Z

Reserved: 2025-11-06T00:09:09.016Z

Link: CVE-2025-12788

cve-icon Vulnrichment

Updated: 2025-11-14T15:24:03.179Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T11:15:34.890

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses