Hydra Booking WordPress Plugin Booking Details IDOR Vulnerability
The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint. This is due to the getBookingDetails() callback only enforcing the tfhb_manage_options capability via tfhb_manage_options_permission(), without verifying that the requested booking belongs to the currently authenticated host (the lookup in getBookingDetailsData() filters solely on the booking id supplied in the URL). This makes it possible for authenticated attackers, with Hydra Host-level access and above (a role created by the plugin which grants tfhb_manage_options), to view sensitive booking records belonging to other hosts, including attendee names, emails, phone numbers, addresses, meeting details, payment method and status, transaction history, and internal notes by iterating booking IDs.
Quick answer
Hydra Booking should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Hydra Booking up to and including 1.2.1
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Hydra Booking is affected by CVE-2026-12433. Vulnerable versions up to and including 1.2.1 expose data because Hydra Host users can enumerate booking IDs and view booking records belonging to other hosts. Update or disable the plugin on public WordPress sites and review affected records for unauthorized access.
- Inventory every WordPress site where Hydra Booking is installed and enabled.
- Update Hydra Booking beyond 1.2.1 when a vendor-fixed release is available.
- Disable the plugin temporarily if the affected REST endpoint or workflow is reachable and no fixed version is available.
- Restrict the vulnerable REST route with a WAF or server rule until patching is complete.
- Review WordPress user roles and remove unnecessary Author, Host, or elevated plugin roles.
- Audit access logs for enumeration of post IDs, booking IDs, object IDs, or plugin REST endpoints.
- Clear WordPress, object, page, and CDN caches after remediation.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Hydra Booking is no longer running version 1.2.1 or older.
- Test the affected REST endpoint as the lowest relevant role in staging and confirm unauthorized records are denied.
- Verify legitimate editor, host, or administrator workflows still function after the fix.
- Review sensitive post, ACF, or booking records for suspicious access during the exposure window.
- Run a Fixnx scan and confirm public WordPress exposure signals are rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-12433?
Hydra Booking versions listed as affected should be reviewed: Hydra Booking up to and including 1.2.1.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
