GHSA-5Q4Q-834J-G8G4
Vulnerability from github – Published: 2026-06-30 16:44 – Updated: 2026-06-30 16:44Summary
The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.
Technical Details
The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).
When processing this input:
1. Validation rules are dynamically generated only for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely.
2. The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:
foreach ($item->checkout_config as $key => $value) {
$service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
}
- During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.
Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.
Impact
This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.
Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "paymenter/paymenter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47198"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T16:44:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.\n\n### Technical Details\nThe `Checkout` Livewire component (`app/Livewire/Products/Checkout.php`) exposes the `$checkoutConfig` property to URL query parameters via the `#[Url]` attribute (aliased as `config`). \n\nWhen processing this input:\n1. Validation rules are dynamically generated *only* for keys explicitly defined by an extension\u0027s `getCheckoutConfig()` method. Any undefined keys injected into the query parameter bypass validation entirely.\n2. The cart component (`app/Livewire/Cart.php`) stores all keys from `checkout_config` directly into the database without sanitation:\n```php\n foreach ($item-\u003echeckout_config as $key =\u003e $value) {\n $service-\u003eproperties()-\u003eupdateOrCreate([\u0027key\u0027 =\u003e $key], [\u0027value\u0027 =\u003e $value]);\n }\n```\n3. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension\u0027s createServer() method.\n\nBecause of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.\n\n### Impact\nThis is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.\n\nDepending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.",
"id": "GHSA-5q4q-834j-g8g4",
"modified": "2026-06-30T16:44:31Z",
"published": "2026-06-30T16:44:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5q4q-834j-g8g4"
},
{
"type": "PACKAGE",
"url": "https://github.com/Paymenter/Paymenter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Paymenter has URL parameter injection that bypasses paid plan limits at checkout"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.