CVE-2026-12433 Overview
CVE-2026-12433 is an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] in the Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress. The flaw affects all versions up to and including 1.2.1. The /wp-json/hydra-booking/v1/booking/details/{id} REST endpoint fails to verify booking ownership before returning records. Authenticated users with Hydra Host-level access can enumerate booking IDs to read records belonging to other hosts, exposing attendee names, emails, phone numbers, addresses, meeting details, payment information, transaction history, and internal notes.
Critical Impact
Authenticated attackers with Hydra Host privileges can read sensitive booking data belonging to other hosts by iterating booking IDs against the REST API.
Affected Products
- Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress
- Versions up to and including 1.2.1
- WordPress sites granting the tfhb_manage_options capability (Hydra Host role)
Discovery Timeline
- 2026-07-09 - CVE-2026-12433 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-12433
Vulnerability Analysis
The vulnerability resides in the getBookingDetails() callback registered in admin/Controller/BookingController.php. The endpoint enforces the tfhb_manage_options capability through tfhb_manage_options_permission(), which acts as the sole gatekeeper. This capability check confirms that the requester is a Hydra Host but does not tie the request to a specific host's data scope.
Once the capability check passes, the callback invokes getBookingDetailsData(), which retrieves the booking record using only the id parameter supplied in the URL path. No filter is applied to match the booking's owning host against the authenticated user. As a result, any user holding the tfhb_manage_options capability can request arbitrary booking IDs and receive the full record.
The Hydra Host role is created automatically by the plugin during activation via includes/hooks/ActivationHooks.php, meaning multi-host installations expose data across tenants by default.
Root Cause
The root cause is a missing authorization check that binds the requested resource to the authenticated principal. Capability-based checks confirm role membership but do not enforce per-object ownership, a classic IDOR pattern tracked under CWE-639.
Attack Vector
An authenticated attacker with a Hydra Host account issues HTTP GET requests to /wp-json/hydra-booking/v1/booking/details/{id}, incrementing the numeric {id} value. Each valid ID returns a booking JSON payload regardless of which host owns it. Refer to the Wordfence Vulnerability Report and the WordPress Hydra Booking Changeset for source-level details.
Detection Methods for CVE-2026-12433
Indicators of Compromise
- Sequential or high-volume requests to /wp-json/hydra-booking/v1/booking/details/{id} from a single authenticated session
- Access to booking IDs outside the range historically associated with a given host account
- Unexpected 200 responses to booking detail requests from non-administrator accounts
Detection Strategies
- Enable WordPress REST API request logging and alert on repeated calls to the hydra-booking/v1/booking/details route with varying IDs
- Correlate authenticated user IDs against the host ID referenced in returned booking records to spot cross-host reads
- Review web server access logs for enumeration patterns targeting numeric path parameters on the plugin's endpoints
Monitoring Recommendations
- Audit accounts holding the tfhb_manage_options capability and confirm each is a legitimate host
- Monitor for privilege changes that grant the Hydra Host role to unexpected users
- Alert on abnormal spikes in booking detail API traffic tied to a single session or IP
How to Mitigate CVE-2026-12433
Immediate Actions Required
- Update the Hydra Booking plugin to a version later than 1.2.1 that includes the ownership check fix
- Audit and remove unnecessary Hydra Host accounts to reduce the pool of users able to reach the vulnerable endpoint
- Rotate credentials for any Hydra Host account showing signs of misuse
- Notify affected attendees if logs indicate cross-host record access occurred
Patch Information
The vendor addressed the issue through commits referenced in the WordPress Hydra Booking Changeset. Compare vulnerable code in BookingController.php line 100 and BookingController.php line 1418 against the patched release. Site owners should upgrade to the fixed release referenced in the Wordfence Vulnerability Report.
Workarounds
- Temporarily restrict access to the /wp-json/hydra-booking/v1/booking/details/{id} endpoint at the web server or WAF layer until the patch is applied
- Reduce the number of accounts assigned the Hydra Host role to trusted personnel only
- Disable the plugin on multi-host sites where segregation of booking data is required and patching is delayed
# Example nginx block restricting the vulnerable REST route to trusted IPs
location ~ ^/wp-json/hydra-booking/v1/booking/details/ {
allow 203.0.113.0/24;
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

