CyberRota
← Ana sayfaya dön

CVE-2026-11901

MEDIUM · CVSS 5.3

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-11T07:16:45.347 · Çekilme zamanı: 2026-07-11T12:05:27.952574+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-11901
Severity
MEDIUM
CVSS
5.3
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.