Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
IPN endpoint is publicly network-accessible with no authentication; integrity limited to booking record manipulation with no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web_hook_process_paypal_standard() IPN handler selecting its PayPal validation endpoint from the attacker-controlled $_REQUEST['test_ipn'] parameter, force-upgrading any pending transaction to completed when test_ipn=1, and omitting post-verification checks on receiver_email, mc_currency, and txn_id uniqueness after receiving a VERIFIED response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant - either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a VERIFIED response; no site credentials or special configuration are needed.
AnalysisAI
Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler web_hook_process_paypal_standard() accepts an attacker-controlled test_ipn=1 parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on receiver_email, mc_currency, and txn_id uniqueness. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) WP Hotel Booking plugin version ≤2.3.1 installed and active on a WordPress site; (2) the PayPal Standard gateway enabled and configured within the plugin - this is the primary gateway option and a common deployment configuration for this plugin, but sites using only non-PayPal gateways are not affected; (3) attacker possession of either a free PayPal sandbox developer account (for the test_ipn=1 sandbox routing attack) or any existing PayPal account that has previously received a verified IPN (for the replay attack variant). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 5.3 (Medium) with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N technically represents a low-complexity, unauthenticated, network-accessible flaw with limited integrity impact - but this score materially understates the business risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free PayPal sandbox developer account and identifies a hotel WordPress site running WP Hotel Booking with PayPal Standard enabled. The attacker sends a crafted HTTP POST to the site's IPN endpoint (e.g., `/?wphb-listener=ipn`) with `test_ipn=1` set alongside a fabricated booking reference and transaction ID; the plugin routes IPN validation to PayPal's sandbox, receives a genuine 'VERIFIED' response using the attacker's sandbox credentials, skips `receiver_email` and `txn_id` checks, and automatically promotes the target booking from pending to completed - granting the attacker a confirmed hotel reservation without any real payment transfer to the merchant. … |
| Remediation | The primary remediation is to update the WP Hotel Booking plugin to a version above 2.3.1; a fix commit is confirmed in the WordPress plugin SVN at the changeset https://plugins.trac.wordpress.org/changeset?reponame=&old=3582839%40wp-hotel-booking&new=3582839%40wp-hotel-booking, however the exact patched release version number is not independently confirmed from the available data - verify the current version in the WordPress plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Hotel Booking
View allThe WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/r
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not esca
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hos
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensu
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in
Missing Authorization vulnerability in ThimPress WP Hotel Booking.0.9.2. Rated medium severity (CVSS 6.5), this vulnerab
Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43149
GHSA-8frr-75wq-jfgf