A critical vulnerability has been identified in the Hydra Booking plugin for WordPress, which allows any authenticated user, regardless of their permission level, to change the password of any other user on the site. This flaw can be exploited by a low-privileged attacker to gain full administrative control over the website, leading to a complete system compromise. The high severity of this vulnerability necessitates immediate action to prevent potential data theft, website defacement, or further attacks originating from the compromised system.

The vulnerability is a privilege escalation flaw within the tfhb_reset_password_callback() function of the Hydra Booking plugin. This function, designed to handle password resets, does not perform a capability check to verify that the user initiating the request has the appropriate permissions to modify other user accounts. As a result, any authenticated user (e.g., a subscriber) can send a crafted request to this function to reset the password for any user, including administrators, by simply knowing the target's username. Successful exploitation grants the attacker unauthorized access to the target account's privileges, which can lead to a full site takeover if an administrator account is compromised.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation can lead to a complete compromise of the organization's WordPress website. An attacker with administrative access could steal sensitive company or customer data, deface the website causing significant reputational damage, inject malicious code to attack site visitors, or use the compromised server to launch further attacks. The potential business impact includes direct financial loss from business disruption, costs associated with incident response and cleanup, regulatory fines for data breaches, and a long-term loss of customer trust.

Immediate Action: Immediately update the Hydra Booking plugin to the latest version provided by the vendor, which contains the patch for this vulnerability. After updating, thoroughly review all user accounts, particularly those with administrative privileges, for any unauthorized password changes or suspicious activity. If the plugin is not critical to business operations, consider deactivating and removing it to reduce the overall attack surface.

Proactive Monitoring: Monitor web server and application logs for POST requests to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) that specifically call the tfhb_reset_password_callback action. Configure alerts for unexpected password changes or privilege escalations within the WordPress audit logs. Monitor for new administrative account creations and logins from unrecognized IP addresses or geolocations.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with a virtual patching rule to block malicious requests targeting the vulnerable function. Enforce Multi-Factor Authentication (MFA) across all user accounts, especially for administrators, as this will prevent an attacker from logging in even if they successfully reset a password. Restrict access to the WordPress administrative dashboard (/wp-admin/) to only trusted IP addresses.

Public Exploit Available: False

Given the high severity (CVSS 8.8) of this vulnerability and the critical risk of a full website compromise, we recommend treating its remediation as a top priority. Organizations must apply the vendor-supplied patch for the Hydra Booking plugin immediately. Although CVE-2025-7689 is not currently on the CISA KEV list, its characteristics make it an extremely attractive target for attackers. Proactive patching is the most effective defense and is essential to prevent unauthorized access and protect the integrity of your web assets.