Price Manipulation in Booking Package Plugin for WordPress
CVE-2026-4911

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Booking Package
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-4911?

The Booking Package plugin for WordPress, up to version 1.7.06, contains a vulnerability that enables unauthenticated users to manipulate the price of bookings. This occurs through the intentForStripe() function, which improperly passes user-supplied $_POST['amount'] to the Stripe PaymentIntent API without adequate validation. Furthermore, the commitStripe() function neglects to utilize the server-calculated amount, allowing attackers to create bookings at arbitrary prices. The server calculates the true cost using getAmount(), which factors in services, guests, taxes, and discounts, yet this amount is ignored in the payment process due to critical code being commented out. Consequently, an attacker can book services for a fraction of the intended cost, potentially undermining the financial integrity of the booking system.

Affected Version(s)

Booking Package 0 <= 1.7.06

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/booking-packag...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

momopon1415

CVE-2026-4911 Data

JSON