CVE-2026-11901
MEDIUM SEVERITYCVSS Score & Metrics
Base Score
5.3 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vulnerability Description
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-345
Source
NVD
Vendor
thimpress
Product
WP Hotel Booking
External References
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3582839%40wp-hotel-booking&new=3582839%40wp-hotel-booking
- https://www.wordfence.com/threat-intel/vulnerabilities/id/191ec7ea-6ca7-4943-8709-f372ae5a81c7?source=cve
Discussion (0)
Add Comment
No comments yet. Be the first!