Introduction
Resetting an administrator password with only a Subscriber account is possible on affected WordPress sites using Hydra Booking plugin versions 1.1.0 through 1.1.18. This issue enables privilege escalation and can result in full site compromise if exploited by a malicious authenticated user.
Hydra Booking is a WordPress plugin designed for appointment scheduling, business management, and integration with WooCommerce and CRM systems. It is positioned as a feature-rich solution for businesses needing multi-user booking and front-end dashboard capabilities. The plugin is widely used in the WordPress ecosystem, though it has not previously been associated with major security incidents.
Technical Information
CVE-2025-7689 is a privilege escalation vulnerability in Hydra Booking WordPress plugin versions 1.1.0 through 1.1.18. The vulnerability is rooted in the tfhb_reset_password_callback
function, which is responsible for handling password reset requests. In these versions, this function does not perform a capability check to verify the role or permissions of the user invoking it.
The absence of a capability check means that any authenticated user, including those with only Subscriber-level access, can send a crafted request to the vulnerable endpoint. By specifying the user ID of an Administrator in the request, the attacker can reset the Administrator's password. This results in full privilege escalation, granting the attacker administrative access to the WordPress site.
This flaw is categorized as CWE-862 (Missing Authorization), which describes failures to enforce proper authorization on sensitive operations. The vulnerability is straightforward to exploit for any authenticated user who can interact with the plugin's password reset functionality.
Affected Systems and Versions
- Product: Hydra Booking WordPress plugin
- Affected versions: 1.1.0 through 1.1.18
- Any WordPress installation with Hydra Booking plugin in this version range is vulnerable if user registration or Subscriber-level accounts are enabled
Vendor Security History
No prior public vulnerabilities have been widely reported for Hydra Booking. There is no evidence of a vendor advisory or rapid patch response for CVE-2025-7689 at the time of writing. The incident raises concerns about the plugin's security maturity, particularly regarding authorization checks on sensitive operations.