CVE-2026-4911
Received Received - Intake
Price Manipulation in Booking Package WordPress Plugin via Stripe API

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: Wordfence

Description
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-28
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4911
EUVD
EUVD-2026-26006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
booking_package booking_package to 1.7.06 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-472 The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Booking Package plugin for WordPress has a vulnerability in versions up to and including 1.7.06 that allows price manipulation. This happens because the intentForStripe() function takes the user-controlled amount value from a POST request and sends it directly to the Stripe PaymentIntent API without validating it. Additionally, the commitStripe() function does not use the server-calculated booking amount when confirming the payment. Although the server calculates the correct booking cost based on services, guests, taxes, and coupons, this amount is never checked against or used to update the PaymentIntent because the relevant code is commented out. As a result, attackers can manipulate the amount parameter to pay arbitrary prices, such as $0.01 instead of the actual cost.


How can this vulnerability impact me? :

This vulnerability allows unauthenticated attackers to book services at fraudulent prices by manipulating the payment amount during the Stripe PaymentIntent creation. This can lead to financial losses for the service provider because attackers can pay much less than the actual booking cost or potentially bypass payment altogether.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to manipulate payment amounts when booking services, potentially leading to fraudulent transactions.

However, there is no information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart