CVE-2025-68055 - Vulnerability Details

- WordPress Hydra Booking plugin <= 1.1.32 - SQL Injection vulnerability

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32.

Published: 2025-12-16

Score: 8.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a classic SQL injection that allows an attacker to inject arbitrary SQL into commands processed by the Hydra Booking plugin. The lack of proper neutralization of special characters means that an unauthenticated or privileged attacker could read, modify, or delete records in the WordPress database. The vulnerability sits under CWE‑89 and carries a high severity score indicating significant risk.

Affected Systems

The affected plugin is Themefic Hydra Booking for WordPress, specifically all releases up to and including version 1.1.32. The issue does not affect newer releases once the vendor releases a fix. The problem is present across all installations of the plugin before the stated version limit.

Risk and Exploitability

With a CVSS score of 8.5 the vulnerability is considered high. The EPSS score of less than 1% suggests that exploitation is currently rare, and it is not yet listed in the CISA KEV catalog. The likely attack vector is through the web interface where the plugin processes user-supplied data. An attacker with sufficient access to the site could use it to exfiltrate data or compromise the underlying database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Themefic

Hydra Booking

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.32

No data.

Vendor	Product	Confidence	Versions
Themefic	Hydra Booking	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Hydra Booking plugin to a version newer than 1.1.32
If an upgrade is not possible, disable or remove the plugin from the WordPress installation
Consider implementing a web application firewall or input validation controls to block malicious queries

Generated by OpenCVE AI on April 28, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve

History

Mon, 27 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve

Tue, 16 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themefic Themefic hydra Booking Wordpress Wordpress wordpress
Vendors & Products		Themefic Themefic hydra Booking Wordpress Wordpress wordpress

Tue, 16 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 16 Dec 2025 08:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32.
Title		WordPress Hydra Booking plugin <= 1.1.32 - SQL Injection vulnerability
Weaknesses		CWE-89
References		https://vdp.patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-sql-injection-vulnerability?_s_id=cve

Subscriptions

Themefic Hydra Booking

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-12-16T08:12:59.985Z

Updated: 2026-04-28T16:14:27.805Z

Reserved: 2025-12-15T10:01:11.954Z

Link: CVE-2025-68055

Vulnrichment

Updated: 2025-12-16T15:51:02.264Z

NVD

Status : Deferred

Published: 2025-12-16T09:16:01.190

Modified: 2026-04-27T19:16:23.673

Link: CVE-2025-68055

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object