CVE-2026-4911 - Vulnerability Details

Link	Providers
https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393
https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548
https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151
https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948
https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390
https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545
https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151
https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942
https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07
https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve

Type	Values Removed	Values Added
Description		The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.
Title		Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter
Weaknesses		CWE-472
References		https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942 https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07 https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4911", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-26T16:12:47.440Z", "datePublished": "2026-04-28T06:45:46.282Z", "dateUpdated": "2026-04-28T06:45:46.282Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T06:45:46.282Z"}, "affected": [{"vendor": "masaakitanaka", "product": "Booking Package", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.06", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment."}], "title": "Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151"}, {"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-472 External Control of Assumed-Immutable Web Parameter", "cweId": "CWE-472", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "momopon1415"}], "timeline": [{"time": "2026-04-27T18:18:55.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment."}], "id": "CVE-2026-4911", "lastModified": "2026-04-28T08:16:01.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-28T08:16:01.967", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-472"}], "source": "security@wordfence.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object