CVE-2026-42675

Vulnerability

The Hydra Booking plugin for WordPress, in all versions from n/a through 1.1.41, contains a broken access control vulnerability [2]. This issue stems from a missing authorization, authentication, or nonce token check within specific plugin functions, which allows the execution of sensitive actions without proper permission validation [2].

Exploitation

An attacker does not require high-level privileges to exploit this vulnerability. By targeting the affected functions, an unprivileged user can trigger higher-privileged actions that were intended to be restricted [2]. The vulnerability is considered highly dangerous and is susceptible to mass-exploit campaigns targeting WordPress installations [2].

Impact

Successful exploitation of this vulnerability allows an unprivileged user to perform unauthorized actions within the WordPress site, potentially leading to a compromise of the application's integrity or administrative functions [2]. The vulnerability carries a CVSS score of 7.3, reflecting the significant risk posed by the lack of access control [2].

Mitigation

Users should update the Hydra Booking plugin to version 1.1.42 or later to resolve this vulnerability [2]. If an immediate update is not possible, site administrators should consult with their hosting provider or web developer to implement security measures, such as firewall rules, to block potential exploitation attempts [2].