Insecure Direct Object Reference Vulnerability in Hydra Booking Plugin for WordPress
CVE-2026-12433

4.3MEDIUM

What is CVE-2026-12433?

The Hydra Booking plugin for WordPress contains a vulnerability allowing authenticated attackers with host-level permissions to access sensitive booking records across different hosts. This happens via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint, which fails to ensure that the requested booking belongs to the authenticated user. The vulnerability arises from inadequate authorization checks in the getBookingDetails() function, enabling attackers to enumerate booking IDs and retrieve personal data such as attendee names, emails, phone numbers, and transaction details. This presents significant privacy risks for users relying on the booking system.

Affected Version(s)

Hydra Booking β€” Appointment Scheduling & Booking Calendar 0 <= 1.2.1

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quang
.