CVE-2025-12787

Name of the Vulnerable Software and Affected Versions Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress versions prior to 1.1.28

Description The Hydra Booking plugin for WordPress is susceptible to unauthorized booking cancellations. This is caused by the use of predictable values in generating booking cancellation tokens and a globally shared nonce within the tfhb meeting form submit callback function. An unauthenticated attacker can cancel bookings by conducting brute-force attacks against the tfhb meeting form cencel API endpoint.

Recommendations Update the Hydra Booking plugin to version 1.1.28 or later.