CVE-2025-7689

Summary

The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.

Affected Software

VendorProductVersion RangeStatus
themeficHydra Booking – All in One Appointment Booking SystemAppointment Scheduling, Booking Calendar & WooCommerce Bookings1.1.0 <= 1.1.18

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References