{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4911", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-26T16:12:47.440Z", "datePublished": "2026-04-28T06:45:46.282Z", "dateUpdated": "2026-04-28T06:45:46.282Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T06:45:46.282Z"}, "affected": [{"vendor": "masaakitanaka", "product": "Booking Package", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.06", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment."}], "title": "Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-472 External Control of Assumed-Immutable Web Parameter", "cweId": "CWE-472", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "momopon1415"}], "timeline": [{"time": "2026-04-27T18:18:55.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment."}], "id": "CVE-2026-4911", "lastModified": "2026-04-28T08:16:01.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-28T08:16:01.967", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T19:27:49.551929+00:00", "value": {"mitigation_remediation": ["Upgrade the Booking Package plugin to version 1.7.07 or later, which removes the commented code and validates the payment amount against the server\u2011calculated cost", "Verify that the upgraded plugin\u2019s intentForStripe() and commitStripe() functions use the server\u2011calculated amount when creating and confirming the PaymentIntent", "If an upgrade cannot be performed immediately, block or restrict direct POST access to the payment processing endpoints and enforce that the \u2018amount\u2019 parameter is never accepted from client input by configuring server\u2011side validation or using a web\u2011application firewall rule"], "summary": {"action": "Update", "impact": "Unauthenticated Price Manipulation leading to fraudulent bookings"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Booking Package plugin version 1.7.06 or earlier. Any WordPress site using these versions is exposed to the flaw until an update replaces the vulnerable code paths, specifically those within CreditCard.php and Schedule.php that handle the Stripe PaymentIntent creation and confirmation.", "description_and_impact": "The vulnerability allows an unauthenticated attacker to modify the $_POST['amount'] value sent to the Stripe PaymentIntent API, bypassing the server\u2011side calculation of booking costs. Because the code that would normally set the calculated amount is commented out, the payment is processed with the tampered value, enabling the attacker to complete a booking for an arbitrary low price. This can lead to significant financial loss for the business operating the Booking Package plugin. The weakness is a lack of input validation and validation of critical payment data, as identified by CWE\u2011472.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, but the vulnerability is exploitable without authentication, making the risk higher in practice. EPSS information is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description to be through the public booking interface, where an attacker can submit a crafted POST request to the payment processing endpoint. Once executed, the attacker can complete the booking with an artificially low amount and claim the services, while the payment is recorded as successful by Stripe. Because no user credentials are required, the exploitation likelihood is non\u2011negligible for any site exposing the booking form."}}}}, "created": "2026-04-28T19:30:27.389700+00:00", "updated": "2026-04-28T19:30:27.389715+00:00", "vendors": []}