Hydra Booking 1.1.0 – 1.1.18 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function

July 29, 2025 invoker category_cve

CVE Details

Basic Information

Title Hydra Booking 1.1.0 – 1.1.18 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function
Type cve
Published 2025-07-29T09:23:46.386Z
Modified 2025-07-29T09:23:46.386Z

Product Information

Vendor themefic
Product Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
Version 1.1.0

CVSS Information

Base Score 8.8 (HIGH)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

  • themefic Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings 1.1.0

Additional Information

CWE List CWE-862
Source Wordfence

Description

The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.