WordPress · Wp Hotel Booking · CVE-2026-11901
**Name of the Vulnerable Software and Affected Versions**
WP Hotel Booking versions prior to 2.3.2
**Description**
Insufficient Verification of Data Authenticity allows unauthenticated attackers to mark hotel bookings as paid without submitting actual payment. The issue exists in the `web hook process paypal standard()` IPN handler, which allows the selection of the PayPal validation endpoint via the attacker-controlled `$ REQUEST['test ipn']` parameter. When `test ipn` is set to `1`, pending transactions are force-upgraded to completed. Additionally, the system fails to perform post-verification checks on `receiver email`, `mc currency`, and the uniqueness of `txn id` after receiving a verified response. Attackers can exploit this by routing validation through a PayPal sandbox account or replaying a previously verified IPN from a nominal payment.
**Recommendations**
Update the plugin to version 2.3.2 or later.
As a temporary mitigation, restrict or disable the use of the `test ipn` parameter in the `web hook process paypal standard()` function.