Insufficient Data Authenticity Verification in WP Hotel Booking Plugin by WordPress
CVE-2026-11901
5.3MEDIUM
What is CVE-2026-11901?
The WP Hotel Booking plugin is susceptible to a critical flaw allowing unauthorized attackers to falsify hotel bookings as fully paid. This is achievable through the manipulation of the test_ipn parameter in the IPN handler, leading to the automatic transition of pending transactions to completed without proper payment verification. Attackers can exploit the system by utilizing a free PayPal sandbox or reusing validated IPN data, negating the necessity for valid credentials or configurations. Consequently, this vulnerability enables malicious actors to exploit the payment processing system and compromise the integrity of hotel booking transactions.
Affected Version(s)
WP Hotel Booking 0 <= 2.3.1