GHSA-5q4q-834j-g8g4: Paymenter has URL parameter injection that bypasses paid plan limits at checkout
Paymenter before version 1.5.1 contains a vulnerability in its checkout component that allows authenticated users to inject arbitrary URL parameters. These parameters bypass validation and are stored without sanitation, enabling users to override server provisioning settings such as resource limits and package tiers without administrative privileges. This is a business logic flaw affecting the server provisioning process.
AI Analysis
Technical Summary
The Paymenter checkout component improperly filters URL-writable properties, exposing the $checkoutConfig property to URL query parameters. Validation is only applied to keys explicitly defined by extensions, allowing undefined keys to bypass validation. These unchecked keys are stored directly in the database and later used during server provisioning, where user-supplied values override administrator-defined configurations. This flaw enables authenticated users to manipulate server resource limits and hosting plans at checkout without special privileges.
Potential Impact
Authenticated users can remotely manipulate server provisioning parameters, overriding core resource limits such as CPU, RAM, storage, or package tiers. This can lead to unauthorized resource allocation and potential abuse of hosting services. No administrative privileges are required to exploit this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the checkout component to trusted users and monitor for unusual provisioning activity. Review and harden validation and sanitation of URL parameters in the checkout process to prevent injection of arbitrary keys.
GHSA-5q4q-834j-g8g4: Paymenter has URL parameter injection that bypasses paid plan limits at checkout
Description
Paymenter before version 1.5.1 contains a vulnerability in its checkout component that allows authenticated users to inject arbitrary URL parameters. These parameters bypass validation and are stored without sanitation, enabling users to override server provisioning settings such as resource limits and package tiers without administrative privileges. This is a business logic flaw affecting the server provisioning process.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Paymenter checkout component improperly filters URL-writable properties, exposing the $checkoutConfig property to URL query parameters. Validation is only applied to keys explicitly defined by extensions, allowing undefined keys to bypass validation. These unchecked keys are stored directly in the database and later used during server provisioning, where user-supplied values override administrator-defined configurations. This flaw enables authenticated users to manipulate server resource limits and hosting plans at checkout without special privileges.
Potential Impact
Authenticated users can remotely manipulate server provisioning parameters, overriding core resource limits such as CPU, RAM, storage, or package tiers. This can lead to unauthorized resource allocation and potential abuse of hosting services. No administrative privileges are required to exploit this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the checkout component to trusted users and monitor for unusual provisioning activity. Review and harden validation and sanitation of URL parameters in the checkout process to prevent injection of arbitrary keys.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5q4q-834j-g8g4
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-47198"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a4452ee27e9c797198ec34b
Added to database: 06/30/2026, 23:36:14 UTC
Last enriched: 06/30/2026, 23:56:02 UTC
Last updated: 06/30/2026, 23:56:02 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.