Insecure Direct Object Reference Vulnerability in Hydra Booking Plugin for WordPress
CVE-2026-12433
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-12433?
The Hydra Booking plugin for WordPress contains a vulnerability allowing authenticated attackers with host-level permissions to access sensitive booking records across different hosts. This happens via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint, which fails to ensure that the requested booking belongs to the authenticated user. The vulnerability arises from inadequate authorization checks in the getBookingDetails() function, enabling attackers to enumerate booking IDs and retrieve personal data such as attendee names, emails, phone numbers, and transaction details. This presents significant privacy risks for users relying on the booking system.
Affected Version(s)
Hydra Booking β Appointment Scheduling & Booking Calendar 0 <= 1.2.1