CVE-2026-42675 Themefic CVE debrief

Who should care

Organizations running WordPress sites with the Themefic Hydra Booking plugin installed, particularly those using versions 1.1.41 and earlier. Site administrators, WordPress security teams, and managed service providers responsible for plugin maintenance and access control posture should prioritize verification and patching.

Technical summary

The Hydra Booking plugin for WordPress fails to enforce proper authorization checks on affected functionality, allowing unauthenticated or lower-privileged users to access or manipulate resources intended for higher-privileged users. The vulnerability is network-exploitable with low attack complexity, requires no privileges, no user interaction, and has impacts across confidentiality, integrity, and availability (all rated LOW). The attack vector is network-based with unchanged scope.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade the Themefic Hydra Booking WordPress plugin to a version newer than 1.1.41 if a patched release is available from the vendor.
• Verify that all booking and administrative endpoints within the plugin implement proper capability checks and nonce validation.
• Review WordPress user role configurations to ensure least-privilege access controls are enforced for booking management functionality.
• Monitor plugin vendor communications and Patchstack advisories for confirmation of a fixed version and additional mitigation guidance.
• If immediate patching is not possible, consider restricting access to affected plugin functionality via web application firewall rules or access controls at the reverse proxy layer.

Evidence notes

CVE published and modified 2026-06-01. NVD status: Deferred. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. Weakness: CWE-862. Vendor attribution derived from reference domain candidate 'Patchstack' with low confidence; marked for review.

Official resources