Hydra Booking < 1.1.28 – Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation | CVE 2025-12787 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized booking cancellation due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.

Affects Plugins

Fixed in 1.1.28

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03

Miscellaneous

Original Researcher

Ahmad Salem (a7mad.cc)

Verified

No

WPVDB ID

74f2947a-dad6-4dbc-8413-22623aa67ecd

Timeline

Publicly Published

2025-11-10 (about 6 months ago)

Added

2025-11-11 (about 6 months ago)

Last Updated

2025-11-11 (about 6 months ago)

Other

Published

Title

Published

2014-08-01

Title

WordPress - Plupload Unspecified Cross-Site Scripting (XSS)

Published

2022-11-29

Title

Appointment Hour Booking < 1.3.73 - CAPTCHA Bypass

Published

2026-03-27

Title

SureForms < 2.6.0 - Unauthenticated Payment Amount Validation Bypass via 'form_id'

Published

2025-11-26

Title

SKT PayPal for WooCommerce < 1.5 - Unauthenticated Payment Bypass

Published

2017-03-06

Title

WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation