CVE-2025-7689

High CVSS 8.8

Overview

The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.

CWE: CWE-862 Published: 2025-07-29T10:15:29.853

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 8.8 (HIGH)
Detected tags: priv_esc, wordpress (tag impact: HIGH)

Recommended actions:

Fix privilege escalation urgently.
Enforce least-privilege and strengthen EDR detection.

Overview

Recommended tools

Tags