CVE-2026-11901

Summary

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web_hook_process_paypal_standard() IPN handler selecting its PayPal validation endpoint from the attacker-controlled $_REQUEST['test_ipn'] parameter, force-upgrading any pending transaction to completed when test_ipn=1, and omitting post-verification checks on receiver_email, mc_currency, and txn_id uniqueness after receiving a VERIFIED response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a VERIFIED response; no site credentials or special configuration are needed.

Affected Software

VendorProductVersion RangeStatus
thimpressWP Hotel Booking0 <= 2.3.1affected

Weaknesses

  • CWE-345: CWE-345 Insufficient Verification of Data Authenticity

References