WP Hotel Booking <= 2.3.1 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via PayPal IPN Handler

2026-07-10 16:57
valent1

Strategic Overview

Status
Patched in 2.3.2
Affected PluginWP Hotel Booking
Affected Version<= 2.3.1
CVSS5.3Medium
CVECVE-2026-11901
View all WP Hotel Booking vulnerabilities

Vulnerability Overview

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.

Technical Analysis

REMEDIATION: Update to version 2.3.2, or a newer patched version --- IDENTIFIER: CWE-345 (Insufficient Verification of Data Authenticity) The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C