Description
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to modify the $_POST['amount'] value sent to the Stripe PaymentIntent API, bypassing the server‑side calculation of booking costs. Because the code that would normally set the calculated amount is commented out, the payment is processed with the tampered value, enabling the attacker to complete a booking for an arbitrary low price. This can lead to significant financial loss for the business operating the Booking Package plugin. The weakness is a lack of input validation and validation of critical payment data, as identified by CWE‑472.

Affected Systems

All installations of the WordPress Booking Package plugin version 1.7.06 or earlier. Any WordPress site using these versions is exposed to the flaw until an update replaces the vulnerable code paths, specifically those within CreditCard.php and Schedule.php that handle the Stripe PaymentIntent creation and confirmation.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the vulnerability is exploitable without authentication, making the risk higher in practice. EPSS information is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description to be through the public booking interface, where an attacker can submit a crafted POST request to the payment processing endpoint. Once executed, the attacker can complete the booking with an artificially low amount and claim the services, while the payment is recorded as successful by Stripe. Because no user credentials are required, the exploitation likelihood is non‑negligible for any site exposing the booking form.

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking Package plugin to version 1.7.07 or later, which removes the commented code and validates the payment amount against the server‑calculated cost
  • Verify that the upgraded plugin’s intentForStripe() and commitStripe() functions use the server‑calculated amount when creating and confirming the PaymentIntent
  • If an upgrade cannot be performed immediately, block or restrict direct POST access to the payment processing endpoints and enforce that the ‘amount’ parameter is never accepted from client input by configuring server‑side validation or using a web‑application firewall rule

Generated by OpenCVE AI on April 28, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Masaakitanaka
Masaakitanaka booking Package
Wordpress
Wordpress wordpress
Vendors & Products Masaakitanaka
Masaakitanaka booking Package
Wordpress
Wordpress wordpress

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
Title Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter
Weaknesses CWE-472
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Masaakitanaka Booking Package
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-28T06:45:46.282Z

Reserved: 2026-03-26T16:12:47.440Z

Link: CVE-2026-4911

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T08:16:01.967

Modified: 2026-04-28T20:26:04.673

Link: CVE-2026-4911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:11:01Z

Weaknesses