WordPress Plugin Vulnerabilities

Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function

Description

The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.

Affects Plugins

Plugin icon
hydra-booking
Fixed in 1.1.19

References

CVE
CVE-2025-7689
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93027dd1-f36a-4954-a8d2-b77bbbaef6fb

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
kr0d
Verified
No
WPVDB ID
29882e3d-a704-46f2-9c68-da647b3d8ead

Timeline

Publicly Published
2025-07-28 (about 9 months ago)
Added
2025-07-28 (about 9 months ago)
Last Updated
2025-07-29 (about 9 months ago)

Other

Published
Title
Published
2024-10-11
Title
Bridge Core < 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Demo Import
Published
2024-06-07
Title
WP Reset < 2.03 - Missing Authorization to License Key Modification
Published
2024-12-30
Title
Floating Action Buttons < 1.0.1 - Missing Authorization
Published
2025-04-16
Title
Starfish Review Generation & Marketing <= 3.1.19 - Subscriber+ Arbitrary Options Update
Published
2025-01-08
Title
GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection