Hydra Booking — Appointment Scheduling & Booking Calendar

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:themefic:hydra_booking_—_appointment_scheduling_&_booking_calendar:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorThemefic (69fae1e1-81cb-5dd5-92a6-9e186c18d282)
ProductHydra Booking — Appointment Scheduling & Booking Calendar (b97b5c64-5c5b-520c-9d5e-92109f5d1254)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-12788 vulnerable 2026-06-08 07:04:30.974491 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass
MEDIUM (5.3)
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring.
Published: 2025-11-11T11:03:46.212Z
Updated: 2026-04-08T17:16:59.618Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-12787 vulnerable 2026-06-08 07:04:30.974120 db.gcve.eu details are currently unavailable. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.