Home

Description

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.

PUBLISHED Reserved 2026-06-10 | Published 2026-07-11 | Updated 2026-07-14 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-345 Insufficient Verification of Data Authenticity

Product status

Default status
unaffected

Any version
affected

Timeline

2026-06-10:Vendor Notified
2026-07-10:Disclosed

Credits

valent1 finder

References

www.wordfence.com/...-6ca7-4943-8709-f372ae5a81c7?source=cve

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...phb-payment-gateway-paypal.php

plugins.trac.wordpress.org/...new=3582839%40wp-hotel-booking

cve.org (CVE-2026-11901)

nvd.nist.gov (CVE-2026-11901)

Download JSON