The vulnerability in the Themefic Hydra Booking plugin stems from a missing authorization check that allows attackers to bypass intended security controls and access or manipulate booking data and related administrative functions. This flaw permits unauthorized users to perform actions that should be restricted, potentially exposing sensitive customer information or altering reservation records. The weakness is categorized as an access control vulnerability (CWE-862), which directly undermines the confidentiality and integrity of the booking system.

Any WordPress site running the Hydra Booking plugin by Themefic with a version equal to or less than 1.1.9. The flaw applies to all releases from the initial available version up to the stated maximum of 1.1.9.

The CVSS score of 6.3 indicates a moderate impact, while the EPSS score of less than 1% suggests a very low probability of widespread exploitation at present. The flaw is not listed in the CISA KEV catalog, underscoring its current low exploitation urgency. Based on the description, it is inferred that an attacker could target exposed administrative or hidden endpoints of the plugin to bypass authorization checks. Once access is obtained, the attacker could read, modify, or delete booking information. The lack of a requirement for privileged user credentials makes the attack vector potentially accessible to any user able to reach these endpoints.