CVE-2026-11901
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and includi
CVSS
5.3
Medio
EPSS
0.2%
p7
KEV
—
Exploit Today
2
0-100
Publicado: 11 jul 2026 · Última mod.: 14 jul 2026 · CWE-345
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- plugins.trac.wordpress.orghttps://plugins.trac.wordpress.org/changeset?reponame=&old=3582839%40wp-hotel-booking&new=3582839%40wp-hotel-booking
- www.wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/191ec7ea-6ca7-4943-8709-f372ae5a81c7?source=cve