How is CVE-2026-42675 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit it. Authentication (not-required): No account or credentials of any privilege level are needed; the misconfigured access control can be reached by any unauthenticated request. Victim interaction (not-required): No action from a logged-in user or site visitor is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or specific environmental configuration to succeed.

What is the impact of CVE-2026-42675?

An attacker can read data accessible through the plugin, such as booking records or configuration details that should be restricted. An attacker can modify plugin data, including creating, updating, or deleting booking entries or settings without authorization. An attacker can trigger availability disruption within the plugin's functional scope, degrading or breaking the booking feature for site visitors. Because no authentication is required, these actions are open to any external actor who can reach the WordPress site over the internet.

Back to search

HIGHCVE-2026-42675Published 2026-06-01Modified 2026-06-01CNA Patchstack

CVE-2026-42675: WordPress Hydra Booking plugin <= 1.1.41 - Broken Access Control vulnerability

Q: What is CVE-2026-42675?

A broken access control vulnerability affects the Hydra Booking WordPress plugin by Themefic at version 1.1.41 and earlier. The flaw is reachable over the network without any authentication or user interaction, meaning any unauthenticated remote request can trigger the misconfigured authorization checks. Successful exploitation gives an attacker limited read access, the ability to modify data, and the ability to disrupt service availability within the plugin's scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-42675 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A broken access control vulnerability affects the Hydra Booking WordPress plugin by Themefic at version 1.1.41 and earlier. The flaw is reachable over the network without any authentication or user interaction, meaning any unauthenticated remote request can trigger the misconfigured authorization checks. Successful exploitation gives an attacker limited read access, the ability to modify data, and the ability to disrupt service availability within the plugin's scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack and the NVD) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the Hydra Booking plugin.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.3 (HIGH) and weighting it against each customer organization's compliance policy to determine urgency, then routing the alert to the appropriate team inbox within that org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit it.
AuthenticationNot required
No account or credentials of any privilege level are needed; the misconfigured access control can be reached by any unauthenticated request.
Victim interactionNot required
No action from a logged-in user or site visitor is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or specific environmental configuration to succeed.

Blast Radius

An attacker can read data accessible through the plugin, such as booking records or configuration details that should be restricted.
An attacker can modify plugin data, including creating, updating, or deleting booking entries or settings without authorization.
An attacker can trigger availability disruption within the plugin's functional scope, degrading or breaking the booking feature for site visitors.
Because no authentication is required, these actions are open to any external actor who can reach the WordPress site over the internet.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix has been published. In the meantime, customers running container images that include the Hydra Booking plugin at version 1.1.41 or earlier are advised to consider compensating controls such as network-policy rules that restrict unauthenticated external access to WordPress admin and plugin endpoints, egress filtering to limit data exfiltration paths, and web application firewall rules targeting the affected plugin routes. Where compliance policy permits, HarborGuard can surface the affected images and flag them for manual review or hold in pipeline gates. The moment Themefic publishes a patched version, HarborGuard will make a rebuilt image available; for customers with auto-remediation enabled, the rebuild, regression test run, and a PR against affected workloads will be opened automatically, with a median time from CVE fix publication to merged patch PR of around 90 minutes for high-severity issues in those environments.

See how HarborGuard automates this

Affected packages

Themefic / Hydra Booking
≤ 1.1.41

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified