The vulnerability is an incorrect privilege assignment that allows an attacker to elevate their privileges within the WordPress installation when Hydra Booking plugin is at or below version 1.1.32. The flaw permits an authenticated user to gain higher permissions than intended, potentially enabling the creation, modification, or deletion of booking data and related administrative functions. This impact compromises the confidentiality, integrity, and availability of data managed by the plugin and can facilitate further misuse of the WordPress site.

Vendors and products impacted are Themefic Hydra Booking for WordPress. All installations using any release from the first public build up to and including version 1.1.32 are susceptible. No specific minor or patch versions beyond 1.1.32 provide a fix; users must upgrade to 1.1.33 or later to remediate the flaw.

The CVSS score of 7.3 indicates moderate to high severity for the exposure. The EPSS score of <1% suggests that, as of the current data, the exploitation probability is low but still present. The vulnerability is not listed in CISA’s KEV catalog, so no active widespread exploitation has been observed. The likely attack vector is through the web application: an attacker who can authenticate to the WordPress site with a role that includes access to Hydra Booking settings could exploit the privilege assignment flaw by navigating to plugin pages or submitting crafted requests. Successful exploitation requires valid credentials but does not necessitate administrative rights beforehand, making it a serious risk for sites with a large user base.