GHSA-5Q4Q-834J-G8G4

Vulnerability from github – Published: 2026-06-30 16:44 – Updated: 2026-06-30 16:44
VLAI
Summary
Paymenter has URL parameter injection that bypasses paid plan limits at checkout
Details

Summary

The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.

Technical Details

The Checkout Livewire component (app/Livewire/Products/Checkout.php) exposes the $checkoutConfig property to URL query parameters via the #[Url] attribute (aliased as config).

When processing this input: 1. Validation rules are dynamically generated only for keys explicitly defined by an extension's getCheckoutConfig() method. Any undefined keys injected into the query parameter bypass validation entirely. 2. The cart component (app/Livewire/Cart.php) stores all keys from checkout_config directly into the database without sanitation:

   foreach ($item->checkout_config as $key => $value) {
       $service->properties()->updateOrCreate(['key' => $key], ['value' => $value]);
   }
  1. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension's createServer() method.

Because of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.

Impact

This is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.

Depending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "paymenter/paymenter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47198"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T16:44:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a regular user can override hosting plans and resource limits at checkout without special privileges.\n\n### Technical Details\nThe `Checkout` Livewire component (`app/Livewire/Products/Checkout.php`) exposes the `$checkoutConfig` property to URL query parameters via the `#[Url]` attribute (aliased as `config`). \n\nWhen processing this input:\n1. Validation rules are dynamically generated *only* for keys explicitly defined by an extension\u0027s `getCheckoutConfig()` method. Any undefined keys injected into the query parameter bypass validation entirely.\n2. The cart component (`app/Livewire/Cart.php`) stores all keys from `checkout_config` directly into the database without sanitation:\n```php\n   foreach ($item-\u003echeckout_config as $key =\u003e $value) {\n       $service-\u003eproperties()-\u003eupdateOrCreate([\u0027key\u0027 =\u003e $key], [\u0027value\u0027 =\u003e $value]);\n   }\n```\n3. During server provisioning, app/Helpers/ExtensionHelper.php retrieves these stored properties and passes them to the extension\u0027s createServer() method.\n\nBecause of how individual server extensions handle these properties, user-injected data overrides intended administrator settings.\n\n### Impact\nThis is a business logic flaw that allows remote, authenticated users to manipulate server provisioning parameters.\n\nDepending on the active extension, this leads to unauthorized overrides of core resource limits (such as CPU, RAM, storage, or package tiers). No administrative privileges are required to exploit this vulnerability.",
  "id": "GHSA-5q4q-834j-g8g4",
  "modified": "2026-06-30T16:44:31Z",
  "published": "2026-06-30T16:44:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Paymenter/Paymenter/security/advisories/GHSA-5q4q-834j-g8g4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Paymenter/Paymenter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Paymenter has URL parameter injection that bypasses paid plan limits at checkout"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…