Hydra Booking — Appointment Scheduling & Booking Calendar <= 1.1.41 - Missing Authorization
Description
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.41. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.1.42
Source Code
WordPress.org SVN# Exploitation Research Plan: Hydra Booking Missing Authorization (CVE-2026-42675) ## 1. Vulnerability Summary The **Hydra Booking** plugin (<= 1.1.41) contains multiple REST API endpoints that lack proper authorization checks. Specifically, the endpoint registered in `includes/services/Integration…
Show full research plan
Exploitation Research Plan: Hydra Booking Missing Authorization (CVE-2026-42675)
1. Vulnerability Summary
The Hydra Booking plugin (<= 1.1.41) contains multiple REST API endpoints that lack proper authorization checks. Specifically, the endpoint registered in includes/services/Integrations/GoogleCalendar/GoogleCalendar.php for Google OAuth callbacks explicitly allows unauthenticated access by returning true in its permission_callback. This allows an attacker to perform an Insecure Direct Object Reference (IDOR) by supplying an arbitrary user_id (via the state parameter), leading to unauthorized modification of WordPress user metadata (_tfhb_host_integration_settings).
Furthermore, several administrative endpoints in admin/Controller/BookingController.php rely on a permission check (tfhb_manage_options_permission) that is likely missing a robust current_user_can check or is otherwise misconfigured, potentially allowing unauthenticated users to delete or modify bookings.
2. Attack Vector Analysis
- Primary Endpoint:
GET /wp-json/hydra-booking/v1/integration/google-api - Secondary Endpoints:
POST /wp-json/hydra-booking/v1/booking/deletePOST /wp-json/hydra-booking/v1/booking/change-booking-status
- Method:
GET(Primary) /POST
Summary
The Hydra Booking plugin for WordPress is vulnerable to unauthorized modification of user metadata in versions up to 1.1.41. This occurs because the Google Calendar OAuth callback REST API endpoint lacks proper authorization and relies on a user-controlled parameter to determine which account is being updated.
Vulnerable Code
// includes/services/Integrations/GoogleCalendar/GoogleCalendar.php @ 1.1.41 public function permission_callback() { return true; } public function GetAccessData() { // Set the Client Data if ( isset( $_GET['code'] ) && isset( $_GET['state'] ) ) { try { $user_id = $_GET['state']; $data = $this->GetAccessToken( $_GET['code'] ); // ... $_tfhb_host_integration_settings['google_calendar']['tfhb_google_calendar'] = $data; // save to user metadata update_user_meta( $user_id, '_tfhb_host_integration_settings', $_tfhb_host_integration_settings ); $redirect_url = get_site_url() . '/wp-admin/admin.php?page=hydra-booking#/hosts/profile/' . $user_id . '/calendars'; wp_redirect( $redirect_url );
Security Fix
@@ -136,11 +136,19 @@ ) ); } - public function permission_callback() { + public function permission_callback( $request ) { + $state = $request instanceof \WP_REST_Request ? $request->get_param( 'state' ) : ''; + + if ( false === $this->get_oauth_state_data( $state ) ) { + return new \WP_Error( + 'rest_forbidden', + __( 'Sorry, you are not allowed to do that.', 'hydra-booking' ), + array( 'status' => rest_authorization_required_code() ) + ); + } + return true; } - public function GetAccessData() { + public function GetAccessData( $request ) { + $code = $request instanceof \WP_REST_Request ? $request->get_param( 'code' ) : ( isset( $_GET['code'] ) ? wp_unslash( $_GET['code'] ) : '' ); + $state = $request instanceof \WP_REST_Request ? $request->get_param( 'state' ) : ( isset( $_GET['state'] ) ? wp_unslash( $_GET['state'] ) : '' ); + $error = $request instanceof \WP_REST_Request ? $request->get_param( 'error' ) : ( isset( $_GET['error'] ) ? wp_unslash( $_GET['error'] ) : '' ); + + $state_data = $this->get_oauth_state_data( $state ); + + if ( false === $state_data ) { + return new \WP_Error( + 'invalid_google_oauth_state', + __( 'Invalid or expired Google authorization state.', 'hydra-booking' ), + array( 'status' => 403 ) + ); + } - // Set the Client Data - if ( isset( $_GET['code'] ) && isset( $_GET['state'] ) ) { + $user_id = absint( $state_data['user_id'] );
Exploit Outline
The exploit targets the Google OAuth callback endpoint `/wp-json/hydra-booking/v1/integration/google-api`. An attacker first initiates a legitimate Google OAuth flow using their own Google account to obtain a valid authorization `code`. Instead of using this code to link their own account, the attacker sends a GET request to the vulnerable endpoint with the `state` parameter set to the `user_id` of a target user (e.g., an administrator). Because the `permission_callback` returns `true` for unauthenticated requests and the `GetAccessData` function uses the `state` parameter directly as the target for `update_user_meta`, the attacker can successfully overwrite the target user's Google Calendar integration settings with their own tokens.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.