Description
Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Hydra Booking: from n/a through 1.1.41.
Published: 2026-06-01
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hydra Booking plugin has a missing authorization flaw that allows attackers to bypass the intended access control restrictions. This can result in unauthorized users being able to view, modify or delete booking data, potentially compromising customer information and undermining business operations. The weakness is identified as CWE‑862 – Missing Authorization.

Affected Systems

The Vulnerability affects the Themefic Hydra Booking plugin on WordPress installations. All versions up to and including 1.1.41 are impacted. The problem is present from the earliest available release through 1.1.41; any deployment of those versions on a WordPress site is at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a high impact and the EPSS score is not available, so the exploitation probability is unknown. The flaw does not appear to require elevated privileges; attackers can leverage web requests to the plugin’s exposed endpoints to evade access checks. The plugin is not listed in CISA KEV, but the lack of a public exploit does not preclude future exploitation. Administrators should anticipate that attackers could use the web interface to manipulate booking data or gain unauthorized insight into user information.

Generated by OpenCVE AI on June 1, 2026 at 18:41 UTC.

Remediation

Vendor Solution

Update the WordPress Hydra Booking Plugin to the latest available version (at least 1.1.42).

OpenCVE Recommended Actions

  • Update the Hydra Booking Plugin to version 1.1.42 or later, which removes the missing authorization flaw.
  • If an immediate update is not possible, deny general users from accessing the plugin’s admin pages by restricting WordPress role capabilities or applying web‑application firewall rules that block requests to the affected endpoints.
  • Review and tighten user role permissions in WordPress to ensure only privileged staff can access booking management functions, thereby limiting the potential impact of the flaw.
  • Optionally, disable the Hydra Booking Plugin until the patched version is applied.

Generated by OpenCVE AI on June 1, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress
Vendors & Products Themefic
Themefic hydra Booking
Wordpress
Wordpress wordpress

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41.
Title WordPress Hydra Booking plugin <= 1.1.41 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Themefic Hydra Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-01T17:07:08.054Z

Reserved: 2026-04-29T09:04:52.624Z

Link: CVE-2026-42675

cve-icon Vulnrichment

Updated: 2026-06-01T17:07:03.408Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:00.043

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-42675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T19:45:19Z

Weaknesses