[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA_0pOU7iI4bkqGRQPFSnbr-t72tdAPHDtFMGLZyN1J8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-42675","hydra-booking-appointment-scheduling-booking-calendar-missing-authorization","Hydra Booking — Appointment Scheduling & Booking Calendar \u003C= 1.1.41 - Missing Authorization","The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.1.41. This makes it possible for unauthenticated attackers to perform an unauthorized action.","hydra-booking",null,"\u003C=1.1.41","1.1.42","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-15 00:00:00","2026-05-19 13:31:21",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5f6c0e18-6a6b-40c5-95be-87fc7d49ae92?source=api-prod",5,[22,23,24,25,26],"admin\u002FController\u002FBookingController.php","hydra-booking.php","includes\u002Fhooks\u002FActionHooks.php","includes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php","readme.txt","researched",false,3,"# Exploitation Research Plan: Hydra Booking Missing Authorization (CVE-2026-42675)\n\n## 1. Vulnerability Summary\nThe **Hydra Booking** plugin (\u003C= 1.1.41) contains multiple REST API endpoints that lack proper authorization checks. Specifically, the endpoint registered in `includes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php` for Google OAuth callbacks explicitly allows unauthenticated access by returning `true` in its `permission_callback`. This allows an attacker to perform an **Insecure Direct Object Reference (IDOR)** by supplying an arbitrary `user_id` (via the `state` parameter), leading to unauthorized modification of WordPress user metadata (`_tfhb_host_integration_settings`).\n\nFurthermore, several administrative endpoints in `admin\u002FController\u002FBookingController.php` rely on a permission check (`tfhb_manage_options_permission`) that is likely missing a robust `current_user_can` check or is otherwise misconfigured, potentially allowing unauthenticated users to delete or modify bookings.\n\n## 2. Attack Vector Analysis\n- **Primary Endpoint**: `GET \u002Fwp-json\u002Fhydra-booking\u002Fv1\u002Fintegration\u002Fgoogle-api`\n- **Secondary Endpoints**: \n    - `POST \u002Fwp-json\u002Fhydra-booking\u002Fv1\u002Fbooking\u002Fdelete`\n    - `POST \u002Fwp-json\u002Fhydra-booking\u002Fv1\u002Fbooking\u002Fchange-booking-status`\n- **Method**: `GET` (Primary) \u002F `POST`","The Hydra Booking plugin for WordPress is vulnerable to unauthorized modification of user metadata in versions up to 1.1.41. This occurs because the Google Calendar OAuth callback REST API endpoint lacks proper authorization and relies on a user-controlled parameter to determine which account is being updated.","\u002F\u002F includes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php @ 1.1.41\n\n\tpublic function permission_callback() { \n\t\treturn true;\n\t}\n\n\tpublic function GetAccessData() {\n\n\t\t\u002F\u002F Set the Client Data\n\t\tif ( isset( $_GET['code'] ) && isset( $_GET['state'] ) ) {\n\n\t\t\ttry {\n\n\t\t\t\t$user_id = $_GET['state'];\n\n\t\t\t\t$data  = $this->GetAccessToken( $_GET['code'] ); \n                \u002F\u002F ...\n\t\t\t\t$_tfhb_host_integration_settings['google_calendar']['tfhb_google_calendar'] = $data;\n\n\t\t\t\t\u002F\u002F save to user metadata\n\t\t\t\tupdate_user_meta( $user_id, '_tfhb_host_integration_settings', $_tfhb_host_integration_settings );\n\n\t\t\t\t$redirect_url = get_site_url() . '\u002Fwp-admin\u002Fadmin.php?page=hydra-booking#\u002Fhosts\u002Fprofile\u002F' . $user_id . '\u002Fcalendars';\n\n\t\t\t\twp_redirect( $redirect_url );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhydra-booking\u002F1.1.41\u002Fincludes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhydra-booking\u002F1.1.42\u002Fincludes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhydra-booking\u002F1.1.41\u002Fincludes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php\t2026-04-12 10:00:10.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fhydra-booking\u002F1.1.42\u002Fincludes\u002Fservices\u002FIntegrations\u002FGoogleCalendar\u002FGoogleCalendar.php\t2026-04-28 12:32:24.000000000 +0000\n@@ -136,11 +136,19 @@\n \t\t\t)\n \t\t);\n \t}\n-\tpublic function permission_callback() { \n+\tpublic function permission_callback( $request ) {\n+\t\t$state = $request instanceof \\WP_REST_Request ? $request->get_param( 'state' ) : '';\n+\n+\t\tif ( false === $this->get_oauth_state_data( $state ) ) {\n+\t\t\treturn new \\WP_Error(\n+\t\t\t\t'rest_forbidden',\n+\t\t\t\t__( 'Sorry, you are not allowed to do that.', 'hydra-booking' ),\n+\t\t\t\tarray( 'status' => rest_authorization_required_code() )\n+\t\t\t);\n+\t\t}\n+\n \t\treturn true;\n \t}\n \n-\tpublic function GetAccessData() {\n+\tpublic function GetAccessData( $request ) {\n+\t\t$code  = $request instanceof \\WP_REST_Request ? $request->get_param( 'code' ) : ( isset( $_GET['code'] ) ? wp_unslash( $_GET['code'] ) : '' );\n+\t\t$state = $request instanceof \\WP_REST_Request ? $request->get_param( 'state' ) : ( isset( $_GET['state'] ) ? wp_unslash( $_GET['state'] ) : '' );\n+\t\t$error = $request instanceof \\WP_REST_Request ? $request->get_param( 'error' ) : ( isset( $_GET['error'] ) ? wp_unslash( $_GET['error'] ) : '' );\n+\n+\t\t$state_data = $this->get_oauth_state_data( $state );\n+\n+\t\tif ( false === $state_data ) {\n+\t\t\treturn new \\WP_Error(\n+\t\t\t\t'invalid_google_oauth_state',\n+\t\t\t\t__( 'Invalid or expired Google authorization state.', 'hydra-booking' ),\n+\t\t\t\tarray( 'status' => 403 )\n+\t\t\t);\n+\t\t}\n \n-\t\t\u002F\u002F Set the Client Data\n-\t\tif ( isset( $_GET['code'] ) && isset( $_GET['state'] ) ) {\n+\t\t$user_id      = absint( $state_data['user_id'] );","The exploit targets the Google OAuth callback endpoint `\u002Fwp-json\u002Fhydra-booking\u002Fv1\u002Fintegration\u002Fgoogle-api`. An attacker first initiates a legitimate Google OAuth flow using their own Google account to obtain a valid authorization `code`. Instead of using this code to link their own account, the attacker sends a GET request to the vulnerable endpoint with the `state` parameter set to the `user_id` of a target user (e.g., an administrator). Because the `permission_callback` returns `true` for unauthenticated requests and the `GetAccessData` function uses the `state` parameter directly as the target for `update_user_meta`, the attacker can successfully overwrite the target user's Google Calendar integration settings with their own tokens.","gemini-3-flash-preview","2026-05-20 17:32:29","2026-05-20 17:33:24",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.1.41","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhydra-booking\u002Ftags\u002F1.1.41","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhydra-booking.1.1.41.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhydra-booking\u002Ftags\u002F1.1.42","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fhydra-booking.1.1.42.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fhydra-booking\u002Ftags"]