CVE-2026-1838

EUVD-2026-23624 MEDIUM

2026-04-18 Wordfence

XSS WordPress

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 18, 2026 - 01:52 vuln.today

DescriptionNVD

The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected XSS in Hostel WordPress plugin versions up to 1.1.6 allows unauthenticated attackers to inject arbitrary JavaScript via the 'shortcode_id' parameter, requiring user interaction (clicking a malicious link) to execute. The vulnerability stems from insufficient input sanitization and output escaping in the shortcode handling code. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-1838 vulnerability details – vuln.today

Back