CVE-2025-12788
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | hydra_booking | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Hydra Booking WordPress plugin where it fails to properly verify payment confirmations server-side. Specifically, the plugin accepts payment confirmation data controlled by the client in the tfhb_meeting_paypal_payment_confirmation_callback function without validating it with PayPal's API. This allows unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to bypass payment and confirm bookings as paid without making any real payment. This could lead to financial losses, unauthorized bookings, and potential disruption of business operations relying on the plugin for appointment scheduling and payment processing.