CVE-2026-11901
Received Received - Intake

WP Hotel Booking Plugin PayPal IPN Validation Bypass

Vulnerability report for CVE-2026-11901, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant β€” either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp_hotel_booking wp_hotel_booking to 2.3.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WP Hotel Booking plugin for WordPress has a vulnerability called Insufficient Verification of Data Authenticity in versions up to 2.3.1. This happens because the plugin's PayPal IPN handler uses an attacker-controlled parameter to select the PayPal validation endpoint. This allows attackers to force any pending booking transaction to be marked as completed without actual payment.

Specifically, the handler uses the 'test_ipn' parameter from user input to choose the validation endpoint, and it does not properly verify important details like the receiver's email, currency, or transaction ID uniqueness after receiving a VERIFIED response from PayPal. As a result, attackers can trick the system into accepting fake payments.

An attacker only needs a free PayPal sandbox account or any PayPal account to get a VERIFIED response, and no site credentials or special configuration are required.

Impact Analysis

This vulnerability allows unauthenticated attackers to mark hotel bookings as fully paid without submitting genuine payment. This means attackers can fraudulently obtain services or goods without paying.

The impact includes financial loss for the merchant, as bookings can be confirmed without actual payment, and potential disruption of business operations due to fraudulent transactions.

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious IPN (Instant Payment Notification) requests that manipulate the 'test_ipn' parameter or replay previously verified IPNs to mark bookings as paid without genuine payment.

You can inspect web server logs or network traffic for requests containing 'test_ipn=1' in the parameters sent to the WP Hotel Booking plugin's IPN handler endpoint.

A sample command to search web server logs for such suspicious requests might be:

  • grep -i 'test_ipn=1' /var/log/apache2/access.log

Additionally, monitoring for repeated IPN requests with identical 'txn_id' values could indicate replay attacks.

Commands to find repeated transaction IDs in logs or database entries depend on your logging setup and database, but a general approach is to query the database for duplicate 'txn_id' entries in the booking payment records.

Mitigation Strategies

Immediate mitigation steps include updating the WP Hotel Booking plugin to a version later than 2.3.1 where this vulnerability is fixed.

If an update is not immediately possible, you should disable or restrict access to the IPN handler endpoint to trusted sources only, such as PayPal IPN servers.

Additionally, implement manual verification of IPN parameters such as 'receiver_email', 'mc_currency', and ensure 'txn_id' uniqueness after receiving a VERIFIED response from PayPal.

Monitoring and alerting on suspicious IPN requests with 'test_ipn=1' or repeated transaction IDs can also help mitigate exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart