WordPress Plugin Vulnerabilities

Hydra Booking < 1.1.33 - Unauthenticated Privilege Escalation

Description

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
hydra-booking
Fixed in 1.1.33

References

CVE
CVE-2025-68027
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a0998721-7b5e-4657-894c-52dfadde5d4a

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
23418101-c07a-4016-8dc3-72d3eee163f4

Timeline

Publicly Published
2026-01-21 (about 4 months ago)
Added
2026-01-28 (about 3 months ago)
Last Updated
2026-01-28 (about 3 months ago)

Other

Published
Title
Published
2018-09-04
Title
Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
Published
2026-01-22
Title
Final User <= 1.2.5 - Authenticated (Subscriber+) Privilege Escalation
Published
2020-04-08
Title
Gutenberg Blocks - Ultimate Addons for Gutenberg < 1.14.8 - Authenticated Settings Change
Published
2023-05-23
Title
ReviewX < 1.6.14 - Subscriber+ Privilege Escalation
Published
2025-04-24
Title
Service Finder Bookings < 6.0 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'