CVE-2026-11901 in WP Hotel Booking Plugin
Summary
by MITRE • 07/11/2026
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The WP Hotel Booking plugin for WordPress presents a critical security vulnerability classified as insufficient verification of data authenticity, affecting all versions up to and including 2.3.1. This vulnerability stems from the web_hook_process_paypal_standard() IPN handler which directly incorporates attacker-controlled input from the $_REQUEST['test_ipn'] parameter to determine the PayPal validation endpoint. The flaw creates a dangerous condition where the plugin automatically upgrades any pending transaction to completed status when test_ipn=1 is present, bypassing normal authentication and verification procedures.
The technical implementation of this vulnerability demonstrates poor security practices that align with CWE-20, which describes improper input validation in software systems. The IPN handler fails to perform essential post-verification checks on critical transaction parameters including receiver_email, mc_currency, and txn_id uniqueness. This omission allows attackers to exploit the system's trust in PayPal's VERIFIED responses without implementing proper validation controls that should confirm the authenticity of payment transactions. The vulnerability operates at the application layer and represents a significant flaw in the plugin's handling of external payment notifications.
The operational impact of this vulnerability is severe as it enables unauthenticated attackers to mark any hotel booking as fully paid without making legitimate payments to the merchant. This creates opportunities for financial fraud where attackers can manipulate booking systems to generate false revenue while simultaneously compromising the integrity of reservation data. The attack vector requires minimal resources and no site-specific credentials, making it particularly dangerous since an attacker only needs access to a free PayPal sandbox account or any PayPal account to obtain a VERIFIED response. This accessibility dramatically increases the potential for widespread exploitation across multiple vulnerable sites.
Security practitioners should consider this vulnerability in relation to ATT&CK technique T1078 which describes valid accounts usage and T1566 which covers credential harvesting and validation. The weakness creates an environment where attackers can leverage legitimate payment processing systems to manipulate booking statuses without requiring traditional authentication credentials or system access. Mitigation strategies must focus on implementing proper input sanitization, removing reliance on attacker-controllable parameters for critical security decisions, and enforcing comprehensive transaction validation checks that verify all relevant payment parameters before accepting any transaction status changes. Organizations should immediately upgrade to patched versions of the plugin and implement monitoring for suspicious booking status modifications that could indicate exploitation attempts.