Paymenter CVE-2026-47198
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Authenticated customer (PR:L) exploits the network-facing checkout with low complexity; checkout altering the separate provisioning subsystem gives S:C, with high integrity, low availability/cost impact, and no confidentiality loss.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.
Technical Details
The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).
When processing this input:
- Validation rules are dynamically generated *only* for keys explicitly defined by an extension's
getCheckoutConfig()method. Any undefined keys injected into the query parameter bypass validation entirely. - The cart component (
app/Livewire/Cart.php) stores all keys fromcheckout_configdirectly into the database without sanitation:
foreach ($item->checkout_config as $key => $value) {
$service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
}- During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.
Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.
Impact
This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.
Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.
AnalysisAI
Server provisioning parameter tampering in Paymenter (a PHP/Laravel billing and hosting-management platform) lets any authenticated customer override administrator-defined hosting plans and resource limits during checkout. By injecting arbitrary key-value pairs into the URL-bound checkout configuration, a low-privileged user can escalate CPU, RAM, storage, or package tiers without admin rights. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated Paymenter account (PR:L) and an active server extension whose createServer() flow honors user-supplied properties over administrator configuration - the override only takes effect for bundled/extension-managed provisioning parameters such as CPU, RAM, storage, or package tier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L, score 8.5) is internally consistent with the description: network-reachable checkout flow, low attack complexity, low privileges (a normal registered customer), no user interaction, and a scope change because the checkout component manipulates the separate provisioning subsystem. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a normal customer account, then begins a checkout for a low-tier hosting plan while appending crafted key-value pairs (e.g. higher CPU, RAM, storage, or a premium package tier) to the 'config' URL query parameter. … |
| Remediation | Upgrade to the fixed release identified in GitHub Security Advisory GHSA-5q4q-834j-g8g4 (https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5q4q-834j-g8g4) - the input does not include an exact fix version, so confirm the patched tag directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Paymenter deployments and current versions; implement temporary URL parameter whitelist controls via WAF or application middleware to block injection of resource-related keys. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5q4q-834j-g8g4