Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10.
Published: 2025-10-22
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hydra Booking plugin for WordPress contains an improper neutralization of special elements in SQL statements (CWE-89) that allows an attacker to inject arbitrary SQL. This flaw lets a malicious user read, modify, or delete booking data stored in the plugin’s database, potentially exposing or destroying customer information.

Affected Systems

The vulnerability affects all Hydra Booking releases from the earliest available through version 1.1.10, as distributed by Themefic. WordPress sites installing any of those plugin versions are vulnerable; no fixed version is currently released.

Risk and Exploitability

The flaw can be triggered remotely through the plugin’s web interface; no local privileges are needed. With a CVSS score of 8.5 the technical risk is high, while the EPSS of less than 1% suggests low current exploit activity and it is not yet listed in the CISA KEV catalog. Despite the low probability of exploitation today, the vulnerability remains technically feasible and grants database compromise, making prompt remediation advisable.

Generated by OpenCVE AI on April 30, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hydra Booking to the latest version available from Themefic or the WordPress plugin repository.
  • If the plugin cannot be upgraded immediately, disable or uninstall it to remove the attack vector.
  • Restrict the database credentials used by WordPress so the database user only has permission for SELECT, INSERT, UPDATE, and DELETE on the application database, and without rights to create or drop tables.

Generated by OpenCVE AI on April 30, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress
Vendors & Products Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10.
Title WordPress Hydra Booking plugin <= 1.1.10 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Themefic Hydra Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.542Z

Reserved: 2025-06-04T09:42:56.995Z

Link: CVE-2025-49378

cve-icon Vulnrichment

Updated: 2025-10-22T20:12:41.924Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:35.840

Modified: 2026-04-27T20:16:14.503

Link: CVE-2025-49378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses