Skip to main content

WP Hotel Booking CVE-2026-11901

| EUVDEUVD-2026-43149 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-07-11 Wordfence GHSA-8frr-75wq-jfgf
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

IPN endpoint is publicly network-accessible with no authentication; integrity limited to booking record manipulation with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 07:03 vuln.today
CVE Published
Jul 11, 2026 - 05:35 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web_hook_process_paypal_standard() IPN handler selecting its PayPal validation endpoint from the attacker-controlled $_REQUEST['test_ipn'] parameter, force-upgrading any pending transaction to completed when test_ipn=1, and omitting post-verification checks on receiver_email, mc_currency, and txn_id uniqueness after receiving a VERIFIED response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant - either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a VERIFIED response; no site credentials or special configuration are needed.

AnalysisAI

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler web_hook_process_paypal_standard() accepts an attacker-controlled test_ipn=1 parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on receiver_email, mc_currency, and txn_id uniqueness. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Create free PayPal sandbox account
Delivery
POST crafted IPN to public webhook with test_ipn=1
Exploit
Plugin reroutes validation to PayPal sandbox endpoint
Install
Sandbox returns VERIFIED for attacker-controlled transaction
C2
Plugin skips receiver_email, currency, and txn_id uniqueness checks
Execute
Pending booking status promoted to completed
Impact
Confirmed reservation obtained with zero real payment

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) WP Hotel Booking plugin version ≤2.3.1 installed and active on a WordPress site; (2) the PayPal Standard gateway enabled and configured within the plugin - this is the primary gateway option and a common deployment configuration for this plugin, but sites using only non-PayPal gateways are not affected; (3) attacker possession of either a free PayPal sandbox developer account (for the test_ipn=1 sandbox routing attack) or any existing PayPal account that has previously received a verified IPN (for the replay attack variant). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.3 (Medium) with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N technically represents a low-complexity, unauthenticated, network-accessible flaw with limited integrity impact - but this score materially understates the business risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free PayPal sandbox developer account and identifies a hotel WordPress site running WP Hotel Booking with PayPal Standard enabled. The attacker sends a crafted HTTP POST to the site's IPN endpoint (e.g., `/?wphb-listener=ipn`) with `test_ipn=1` set alongside a fabricated booking reference and transaction ID; the plugin routes IPN validation to PayPal's sandbox, receives a genuine 'VERIFIED' response using the attacker's sandbox credentials, skips `receiver_email` and `txn_id` checks, and automatically promotes the target booking from pending to completed - granting the attacker a confirmed hotel reservation without any real payment transfer to the merchant. …
Remediation The primary remediation is to update the WP Hotel Booking plugin to a version above 2.3.1; a fix commit is confirmed in the WordPress plugin SVN at the changeset https://plugins.trac.wordpress.org/changeset?reponame=&old=3582839%40wp-hotel-booking&new=3582839%40wp-hotel-booking, however the exact patched release version number is not independently confirmed from the available data - verify the current version in the WordPress plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-3605 CRITICAL POC
10.0 Jun 20

The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/r

CVE-2023-5652 CRITICAL POC
9.8 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not esca

CVE-2026-9822 MEDIUM POC
6.5 Jun 19

Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hos

CVE-2023-5799 MEDIUM POC
5.4 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing

CVE-2023-5651 MEDIUM POC
5.4 Nov 20

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensu

CVE-2024-7855 HIGH
8.8 Oct 02

The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in

CVE-2024-30508 MEDIUM
6.5 Mar 29

Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerab

CVE-2026-11392 MEDIUM
6.1 Jul 10

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits

CVE-2020-36757 MEDIUM
4.3 Jul 12

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,

CVE-2024-13447 MEDIUM
4.3 Jan 22

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check

CVE-2024-12370 MEDIUM
5.3 Jan 17

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability

Share

CVE-2026-11901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy