PT-2026-57410 · WordPress · Wp Hotel Booking
Valent1
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-11901
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP Hotel Booking versions prior to 2.3.2
Description
Insufficient Verification of Data Authenticity allows unauthenticated attackers to mark hotel bookings as paid without submitting actual payment. The issue exists in the
web hook process paypal standard() IPN handler, which allows the selection of the PayPal validation endpoint via the attacker-controlled $ REQUEST['test ipn'] parameter. When test ipn is set to 1, pending transactions are force-upgraded to completed. Additionally, the system fails to perform post-verification checks on receiver email, mc currency, and the uniqueness of txn id after receiving a verified response. Attackers can exploit this by routing validation through a PayPal sandbox account or replaying a previously verified IPN from a nominal payment.Recommendations
Update the plugin to version 2.3.2 or later.
As a temporary mitigation, restrict or disable the use of the
test ipn parameter in the web hook process paypal standard() function.Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Hotel Booking