CVE-2026-4911

Name of the Vulnerable Software and Affected Versions Booking Package versions prior to 1.7.07

Description Price Manipulation occurs because the intentForStripe() function passes the user-controlled $ POST['amount'] variable directly to the Stripe PaymentIntent API without validation. Additionally, the commitStripe() function ignores the server-calculated amount during payment confirmation. Although the getAmount() function correctly calculates costs based on services, guests, taxes, and coupons, this value is not validated against the PaymentIntent because the necessary code in CreditCard.php is commented out. This allows unauthenticated attackers to book services at arbitrary prices by manipulating the amount parameter during PaymentIntent creation.

Recommendations Update the plugin to a version later than 1.7.06.