CVE-2026-12433
Received Received - Intake

Insecure Direct Object Reference in Hydra Booking WordPress Plugin

Vulnerability report for CVE-2026-12433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hydra_booking appointment_scheduling_and_booking_calendar to 1.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Hydra Booking plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in versions up to 1.2.1. This occurs because the plugin's REST endpoint /wp-json/hydra-booking/v1/booking/details/{id} allows authenticated users with Hydra Host-level access to request booking details by ID without verifying if the booking belongs to them.

As a result, attackers with the appropriate role can access sensitive booking information of other hosts by iterating through booking IDs.

Impact Analysis

This vulnerability allows attackers with Hydra Host-level access to view sensitive information from other hosts' bookings. This includes attendee names, emails, phone numbers, addresses, meeting details, payment methods and statuses, transaction histories, and internal notes.

Such unauthorized access can lead to privacy breaches, exposure of personal and financial data, and potential misuse of this information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart