The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data...
🔗 CVE IDs covered (1)
📋 Description
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web_hook_process_paypal_standard() IPN handler selecting its PayPal validation endpoint from the attacker-controlled $_REQUEST['test_ipn'] parameter, force-upgrading any pending transaction to completed when test_ipn=1, and omitting post-verification checks on receiver_email, mc_currency, and txn_id uniqueness after receiving a VERIFIED response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a VERIFIED response; no site credentials or special configuration are needed.
🔗 References (12)
- https://nvd.nist.gov/vuln/detail/CVE-2026-11901
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.0/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L173
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L186
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L194
- https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.1/includes/gateways/paypal/class-wphb-payment-gateway-paypal.php#L253
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3582839%40wp-hotel-booking&new=3582839%40wp-hotel-booking
- https://www.wordfence.com/threat-intel/vulnerabilities/id/191ec7ea-6ca7-4943-8709-f372ae5a81c7?source=cve
- https://github.com/advisories/GHSA-8frr-75wq-jfgf