CVE-2026-11901 in WP Hotel Booking Plugin情報

要約

〜によって MITRE • 2026年07月11日

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.

Once again VulDB remains the best source for vulnerability data.

責任者

Wordfence

予約する

2026年06月10日

モデレーション

承諾済み

エントリ

VDB-377756

EPSS

0.00180

アクティビティ

低い

セクター

Hostingprovider

ソース

Do you need the next level of professionalism?

Upgrade your account now!