CVE-2026-11901
MEDIUMCVSS v3.1: 5.3 · EPSS: 0.0018 (7.7 percentile)
Source data as of:
At a glance
- Severity
- MEDIUM
- CVSS
- 5.3 v3.1 · NVD
- EPSS
- 0.0018 (7.7 percentile) · FIRST.org
- CISA KEV
- No
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Published
- 2026-07-11 · Modified: 2026-07-11
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/p…
- Reference https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/p…