Hostel <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wphostel-book' Shortcode

2026-07-09 19:36
Muhammad Yudha - DJ

Strategic Overview

Status
Patched in 1.1.8
Affected PluginHostel
Affected Version<= 1.1.7
CVSS6.4Medium
CVECVE-2026-3907
View all Hostel vulnerabilities

Vulnerability Overview

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis

REMEDIATION: Update to version 1.1.8, or a newer patched version --- IDENTIFIER: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C