CVE-2025-12787 MEDIUM

CVE-2025-12787: Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation

Vendor Themefic
Product Hydra Booking — Appointment Scheduling & Booking Calendar
Weakness CWE-330 · Insufficient randomness
Published November 11, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

Hydra Booking versions up to 1.1.27 contain a use of insufficiently random values (CWE-330) that allows an attacker to predict or manipulate security-sensitive operations. The vulnerability requires no authentication or user interaction and can be exploited over the network. An attacker can compromise the integrity of booking data or session tokens by predicting weak random values used in the application.

What an attacker can do

03Attacker Capabilities

Predict or manipulate security tokens and booking data by exploiting weak random number generation.

Potential impact on your site

04Site Impact

Booking appointments, session tokens, or other security-sensitive data may be compromised or manipulated by attackers.

Conditions required to exploit

05Prerequisites

Network access to the Hydra Booking installation; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 11, 2025 CVE published
April 8, 2026 Record updated