CVE-2026-4911 MEDIUM

CVE-2026-4911: Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter

Vendor Masaakitanaka
Product Booking Package
Weakness CWE-472
Published April 28, 2026
Last update April 29, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.

Explanation of Vulnerability in Simple Terms

02Summary

Booking Package versions 1.7.06 and earlier contain an integrity vulnerability allowing network-based modification of data without authentication. The flaw requires no user interaction and affects the integrity of information stored or transmitted by the application. Site administrators should update to a version newer than 1.7.06 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify data or content on the site without logging in.

Potential impact on your site

04Site Impact

Attackers can alter booking data, settings, or other stored information without credentials.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 28, 2026 CVE published
April 29, 2026 Record updated