Booking Package Plugin Vulnerability (CVE-2026-4911)

On this page

Security Alert Summary

The Booking Package plugin for WordPress contains a price manipulation vulnerability that can allow an attacker to complete bookings at arbitrary amounts by controlling the amount sent to Stripe when creating a PaymentIntent. The issue stems from the plugin passing user-supplied payment amounts to Stripe and failing to validate or enforce the server-calculated booking amount during payment confirmation.

CVE Details

  • CVE ID: CVE-2026-4911
  • Affected component: Booking Package plugin for WordPress
  • Affected versions: versions up to, and including, 1.7.06
  • Published: April 28, 2026 at 8:16:01 AM
  • Last modified: April 28, 2026 at 8:16:01 AM
  • CVSS v3.1: Base Score 5.3, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / user interaction: No authentication required (PR:N), no user interaction required (UI:N)
  • Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-472

Technical Details

According to the report, the vulnerability occurs because the plugin’s intentForStripe() function passes the user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validating it against the server-calculated booking cost. The server calculates the correct booking amount using getAmount() based on services, guests, taxes, and coupons, but that calculated value is not enforced when creating or confirming the PaymentIntent.

The issue is compounded in the commitStripe() function, which ignores the server-calculated amount when confirming the payment. The code in CreditCard.php that would include the server-calculated amount in the PaymentIntent update is commented out, so the plugin does not update or validate the PaymentIntent with the authoritative amount. As a result, an unauthenticated attacker can supply an arbitrary amount (for example $0.01) during PaymentIntent creation and complete the booking with that manipulated amount instead of the correct calculated amount (for example $500.00).

Files and functions named in the report include CreditCard.php, intentForStripe(), commitStripe(), and getAmount(). The root cause is missing validation and the omission of server-calculated amount enforcement when interacting with the Stripe PaymentIntent API.

How This Could Impact Your Website

Imagine a small business using the Booking Package plugin to accept paid appointments. A malicious actor could create bookings while manipulating the payment amount, resulting in paid bookings that were not collected at the correct price. Practical consequences include:

  • Lost revenue from underpaid or effectively free bookings that still reserve time or resources.
  • Administrative overhead to identify and remediate fraudulent bookings, refund disputes, or chargebacks.
  • Customers receiving booking confirmations for services they did not properly pay for, causing confusion and support workload.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and booking records for unusual behavior, including unexpected low-value payments or spikes in refunds/chargebacks.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References