CVE-2026-4911

MEDIUM
Published Apr 28, 2026 Modified Apr 28, 2026 CWE-472

Description

The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS — Exploit Prediction

0.0006
Probability of exploitation
0.17%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-472 CWE-472

References

Other References

https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L393 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/CreditCard.php#L548 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L15151 https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.04/lib/Schedule.php#L8948 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L390 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/CreditCard.php#L545 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L15151 https://plugins.trac.wordpress.org/browser/booking-package/trunk/lib/Schedule.php#L8942 https://plugins.trac.wordpress.org/changeset?old_path=%2Fbooking-package/tags/1.7.06&new_path=%2Fbooking-package/tags/1.7.07 https://www.wordfence.com/threat-intel/vulnerabilities/id/61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=cve

Frequently Asked Questions

What is CVE-2026-4911? +
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment. It has a CVSS v3.1 base score of 5.3 (MEDIUM).
How severe is CVE-2026-4911? +
CVE-2026-4911 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0006, placing it in the 0th percentile for exploitation probability.
How do I check if I'm vulnerable to CVE-2026-4911? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-32699

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the …
CVE-2025-26312

SendQuick Entera devices before 11HF5 are vulnerable to CAPTCHA bypass by removing the Captcha parameter.
CVE-2024-12123

A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When …
CVE-2025-66385

UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such …
CVE-2024-25153 9.8

A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the …
CVE-2025-43930 9.8

Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-4911 — free, no signup required.

Start Free Scan