Description
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.
Problem types
CWE-345 Insufficient Verification of Data Authenticity
Product status
Any version
Timeline
| 2026-06-10: | Vendor Notified |
| 2026-07-10: | Disclosed |
Credits
valent1
References
www.wordfence.com/...-6ca7-4943-8709-f372ae5a81c7?source=cve
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php
plugins.trac.wordpress.org/...new=3582839%40wp-hotel-booking