Skip to main content

Paymenter CVE-2026-47198

HIGH
Improper Input Validation (CWE-20)
2026-06-30 https://github.com/Paymenter/Paymenter GHSA-5q4q-834j-g8g4
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
vuln.today AI
8.5 HIGH

Authenticated customer (PR:L) exploits the network-facing checkout with low complexity; checkout altering the separate provisioning subsystem gives S:C, with high integrity, low availability/cost impact, and no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 17:21 vuln.today

DescriptionGitHub Advisory

Summary

The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.

Technical Details

The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).

When processing this input:

  1. Validation rules are dynamically generated *only* for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely.
  2. The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:
php
   foreach ($item->checkout_config as $key => $value) {
       $service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
   }
  1. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.

Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.

Impact

This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.

Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.

AnalysisAI

Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register and log in as normal customer
Delivery
Open checkout with crafted 'config' URL parameter
Exploit
Inject undeclared provisioning keys bypassing validation
Execution
Cart stores keys to service properties unsanitized
Persist
Extension createServer() applies overridden limits
Impact
Obtain over-provisioned resources / tier

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated Paymenter account (PR:L) and an active server extension whose createServer() flow honors user-supplied properties over administrator configuration - the override only takes effect for bundled/extension-managed provisioning parameters such as CPU, RAM, storage, or package tier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L, score 8.5) is internally consistent with the description: network-reachable checkout flow, low attack complexity, low privileges (a normal registered customer), no user interaction, and a scope change because the checkout component manipulates the separate provisioning subsystem. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal customer account, then begins a checkout for a low-tier hosting plan while appending crafted key-value pairs (e.g. higher CPU, RAM, storage, or a premium package tier) to the 'config' URL query parameter. …
Remediation Upgrade to the fixed release identified in GitHub Security Advisory GHSA-5q4q-834j-g8g4 (https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5q4q-834j-g8g4) - the input does not include an exact fix version, so confirm the patched tag directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Paymenter deployments and current versions; implement temporary URL parameter whitelist controls via WAF or application middleware to block injection of resource-related keys. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-47198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy