CVE-2025-12787
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | hydra_booking | 1.1.27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Hydra Booking WordPress plugin up to version 1.1.27. It allows unauthenticated attackers to cancel arbitrary bookings without permission. The issue arises because the plugin uses insufficiently random values combined with a globally shared nonce to generate booking cancellation tokens. Attackers can exploit this by performing brute force attacks against the booking cancellation AJAX endpoint to guess valid tokens and cancel bookings they should not have access to.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized individuals to cancel bookings made through the Hydra Booking plugin. This could disrupt your scheduling, cause loss of business or trust, and potentially lead to operational issues if legitimate appointments are canceled without consent.