PT-2026-57410 · WordPress · Wp Hotel Booking

Valent1

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-11901

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions WP Hotel Booking versions prior to 2.3.2
Description Insufficient Verification of Data Authenticity allows unauthenticated attackers to mark hotel bookings as paid without submitting actual payment. The issue exists in the web hook process paypal standard() IPN handler, which allows the selection of the PayPal validation endpoint via the attacker-controlled $ REQUEST['test ipn'] parameter. When test ipn is set to 1, pending transactions are force-upgraded to completed. Additionally, the system fails to perform post-verification checks on receiver email, mc currency, and the uniqueness of txn id after receiving a verified response. Attackers can exploit this by routing validation through a PayPal sandbox account or replaying a previously verified IPN from a nominal payment.
Recommendations Update the plugin to version 2.3.2 or later. As a temporary mitigation, restrict or disable the use of the test ipn parameter in the web hook process paypal standard() function.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11901

Affected Products

Wp Hotel Booking