{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12787", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-05T23:23:11.777Z", "datePublished": "2025-11-11T11:03:45.316Z", "dateUpdated": "2026-04-08T16:50:23.131Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:23.131Z"}, "affected": [{"vendor": "themefic", "product": "Hydra Booking \u2014 Appointment Scheduling & Booking Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.27", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hydra Booking \u2014 Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's \"tfhb_meeting_form_submit_callback\" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint."}], "title": "Hydra Booking \u2013 All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-330 Use of Insufficiently Random Values", "cweId": "CWE-330", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ahmad Salem"}], "timeline": [{"time": "2025-10-28T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-06T00:26:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-10T22:27:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-14T15:24:03.918929Z", "id": "CVE-2025-12787", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:29:36.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12787", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-14T15:24:03.918929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-14T15:24:04.618Z"}}], "cna": {"title": "Hydra Booking \u2013 All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation", "credits": [{"lang": "en", "type": "finder", "value": "Ahmad Salem"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themefic", "product": "Hydra Booking \u2014 Appointment Scheduling & Booking Calendar", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.27"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-06T00:26:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-10T22:27:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php"}], "descriptions": [{"lang": "en", "value": "The Hydra Booking \u2014 Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's \"tfhb_meeting_form_submit_callback\" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T11:03:45.316Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12787", "state": "PUBLISHED", "dateUpdated": "2025-11-14T15:29:36.323Z", "dateReserved": "2025-11-05T23:23:11.777Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T11:03:45.316Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hydra Booking \u2014 Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's \"tfhb_meeting_form_submit_callback\" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint."}], "id": "CVE-2025-12787", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T11:15:34.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/490dd84f-7c03-43c7-b4e1-167fa2b15c03?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T03:56:04.623073+00:00", "value": {"mitigation_remediation": ["Update the Hydra Booking plugin to version 1.1.28 or later to apply the vendor\u2011supplied fix for the weak token generation.", "Restrict access to the tfhb_meeting_form_cencel AJAX endpoint so that only authenticated users or trusted IP addresses can invoke it, thereby preventing unauthenticated token brute\u2011force attempts.", "Deploy a web\u2011application firewall or rate\u2011limit rule to block repeated requests to the cancellation endpoint, mitigating brute\u2011force exploitation and reducing the chance of token discovery."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated arbitrary booking cancellation"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Hydra Booking plugin at version 1.1.27 or earlier. The vulnerability applies to all installations regardless of other plugins or themes because the flaw is inherent to the plugin's core cancellation logic.", "description_and_impact": "The Hydra Booking plugin contains a weakness corresponding to CWE\u2011330, where the token used to cancel a booking is generated from insufficiently random values and shared across all users. This flaw allows an attacker who is not logged in to guess or brute force a valid token and trick the system into canceling an existing booking without authorization. The direct consequence is loss of service and potential business disruption if critical appointments are canceled.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of automated exploitation. The flaw is not listed in CISA's KEV catalog, pointing to limited known exploitation. Attackers would need to repeatedly attempt to guess the cancellation token via the public AJAX endpoint, which may take a significant amount of time given the token weak randomness. Despite this, once a valid token is discovered the attacker can cancel any booking belonging to any user."}}}}, "created": "2025-11-12T12:42:43.327625+00:00", "updated": "2026-04-22T04:00:08.013579+00:00", "vendors": ["themefic", "themefic$PRODUCT$hydra_booking", "wordpress", "wordpress$PRODUCT$wordpress"]}