Insufficient Data Authenticity Verification in WP Hotel Booking Plugin by WordPress
CVE-2026-11901

5.3MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-11901?

The WP Hotel Booking plugin is susceptible to a critical flaw allowing unauthorized attackers to falsify hotel bookings as fully paid. This is achievable through the manipulation of the test_ipn parameter in the IPN handler, leading to the automatic transition of pending transactions to completed without proper payment verification. Attackers can exploit the system by utilizing a free PayPal sandbox or reusing validated IPN data, negating the necessity for valid credentials or configurations. Consequently, this vulnerability enables malicious actors to exploit the payment processing system and compromise the integrity of hotel booking transactions.

Affected Version(s)

WP Hotel Booking 0 <= 2.3.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

valent1
.