CVE-2025-12788
Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring.
| CWE | CWE-602 |
| Vendor | themefic |
| Product | hydra booking — appointment scheduling & booking calendar |
| Published | Nov 11, 2025 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for themefic hydra booking — appointment scheduling & booking calendar
Be the first to know when new medium vulnerabilities affecting themefic hydra booking — appointment scheduling & booking calendar are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N