CVE-2025-7689: 
WordPress vulnerability analysis and mitigation

The Hydra Booking plugin for WordPress contains a privilege escalation vulnerability (CVE-2025-7689) discovered in versions 1.1.0 through 1.1.18. The vulnerability was disclosed on July 29, 2025 and stems from a missing capability check in the tfhbresetpassword_callback() function (NVD).

The vulnerability exists due to improper authorization controls in the tfhbresetpassword_callback() function. This security flaw allows authenticated users with Subscriber-level privileges or higher to reset Administrator user passwords. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impacts to confidentiality, integrity and availability (NVD).

The vulnerability allows authenticated attackers to gain unauthorized administrative access to WordPress sites running the affected versions of Hydra Booking plugin. By exploiting this flaw, an attacker with even basic subscriber privileges can reset administrator passwords, effectively achieving full privilege escalation and complete control over the WordPress installation (NVD).

The vulnerability has been patched in version 1.1.19 of the Hydra Booking plugin, released on July 26, 2025. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WordPress Plugin).