CVE-2025-7689

Name of the Vulnerable Software and Affected Versions Hydra Booking plugin for WordPress versions 1.1.0 through 1.1.18

Description The Hydra Booking plugin for WordPress is susceptible to privilege escalation. A missing capability check within the tfhb reset password callback() function allows authenticated attackers with Subscriber-level access or higher to reset the password of an Administrator user, resulting in full administrative control.

Recommendations Hydra Booking plugin for WordPress version 1.1.0 through 1.1.18: Update the plugin to a version where the capability check is implemented.