CVE-2025-49323
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL Injection flaw in the WordPress Hydra Booking plugin versions up to 1.1.10. It allows a malicious actor to manipulate the plugin's database by injecting malicious SQL commands, potentially leading to unauthorized data access or manipulation. It is classified under the OWASP Top 10 category A3: Injection and has a high severity CVSS score of 8.5. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to directly interact with and manipulate the plugin's database, which may result in data theft or unauthorized data changes. This can compromise the integrity and confidentiality of your data and potentially disrupt your website's functionality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL Injection vulnerability involves monitoring for unusual database queries or unexpected interactions with the Hydra Booking plugin's database. While specific commands are not provided, general approaches include reviewing web server logs for suspicious input patterns targeting the plugin, using SQL query monitoring tools, or employing security scanners that detect SQL Injection attempts. Patchstack recommends professional incident response or hosting provider malware scanning for compromised sites rather than relying solely on plugin-based malware scanners. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Hydra Booking plugin to version 1.1.11 or later, where the vulnerability is fixed. Additionally, Patchstack offers virtual patching (vPatching) as an immediate protection strategy that auto-mitigates the vulnerability before official patches are applied. Enabling auto-updates for vulnerable plugins is also recommended to maintain security. For compromised sites, seeking professional incident response or hosting provider malware scanning is advised. [1]