WordPress Plugin Vulnerabilities

Hydra Booking < 1.1.39 - Authenticated (Hydra host+) Stored Cross-Site Scripting

Description

The Hydra Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with hydra host-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
hydra-booking
Fixed in 1.1.39

References

CVE
CVE-2026-39541
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/094d4fb1-1b8e-4d0c-9e79-91ecf39caf9f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
benzdeus
Verified
No
WPVDB ID
37279bb1-3cb3-447c-9aa9-4419e24c567c

Timeline

Publicly Published
2026-02-15 (about 3 months ago)
Added
2026-04-15 (about 1 month ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2025-03-20
Title
Feedify – Web Push Notifications < 2.4.6 - Reflected XSS
Published
2025-06-07
Title
Logo Changer <= 1.2 - Unauthenticated Stored Cross-Site Scripting
Published
2025-09-16
Title
Media Player Addons for Elementor < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields
Published
2024-11-11
Title
Print PDF Generator and Publisher < 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2016-05-11
Title
pondol-carousel 1.0 - Cross-Site Scripting (XSS)