CVE-2025-12787
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-11

Last updated on: 2025-11-12

Assigner: Wordfence

Description
The Hydra Booking β€” Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-11
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12787
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress hydra_booking 1.1.27
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hydra Booking WordPress plugin up to version 1.1.27. It allows unauthenticated attackers to cancel arbitrary bookings without permission. The issue arises because the plugin uses insufficiently random values combined with a globally shared nonce to generate booking cancellation tokens. Attackers can exploit this by performing brute force attacks against the booking cancellation AJAX endpoint to guess valid tokens and cancel bookings they should not have access to.

Impact Analysis

The vulnerability can impact you by allowing unauthorized individuals to cancel bookings made through the Hydra Booking plugin. This could disrupt your scheduling, cause loss of business or trust, and potentially lead to operational issues if legitimate appointments are canceled without consent.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart