A vulnerability was found in thimpress WP Hotel Booking Plugin up to 2.3.1 on WordPress. It has been rated as critical. This issue affects the function
web_hook_process_paypal_standard of the component IPN Handler. This manipulation of the argument test_ipn causes authentication bypass by capture-replay.
This vulnerability is registered as CVE-2026-11901. Remote exploitation of the attack is possible. No exploit is available.