What the vulnerability does
01Description
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
Hydra Booking versions up to 1.1.27 contain a use of insufficiently random values (CWE-330) that allows an attacker to predict or manipulate security-sensitive operations. The vulnerability requires no authentication or user interaction and can be exploited over the network. An attacker can compromise the integrity of booking data or session tokens by predicting weak random values used in the application.
What an attacker can do
03Attacker Capabilities
Predict or manipulate security tokens and booking data by exploiting weak random number generation.
Potential impact on your site
04Site Impact
Booking appointments, session tokens, or other security-sensitive data may be compromised or manipulated by attackers.
Conditions required to exploit
05Prerequisites
Network access to the Hydra Booking installation; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated