CVE-2025-12788

Name of the Vulnerable Software and Affected Versions Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress versions prior to 1.1.28

Description The Hydra Booking plugin for WordPress has a flaw where payment verification is absent, allowing unauthenticated users to bypass payment requirements. This occurs because the plugin accepts payment confirmation data provided by the client in the tfhb meeting paypal payment confirmation callback function without validating it with the PayPal API. This enables attackers to confirm bookings as paid without completing an actual payment.

Recommendations Update the Hydra Booking plugin to version 1.1.28 or later.