CVE-2026-3907 in Hostel Plugininfo

Summary

by MITRE • 07/10/2026

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability identified in the WordPress Hostel plugin represents a critical stored cross-site scripting weakness that affects all versions up to and including 1.1.7. This security flaw resides within the plugin's handling of the 'wphostel-book' shortcode functionality, where insufficient input validation and output sanitization create an exploitable vector for malicious code injection. The vulnerability specifically targets the second shortcode attribute which serves as button text, demonstrating a classic improper input validation issue that violates fundamental web security principles.

The technical implementation of this vulnerability occurs at the code level where line 79 processes the user-supplied shortcode attribute directly into the `$text` variable without any sanitization measures. This unvalidated input then flows to line 91 where it is output directly into an HTML `value` attribute without proper escaping mechanisms such as `esc_attr()` or equivalent sanitization functions. The absence of these protective measures creates a persistent XSS condition where malicious scripts can be stored and executed whenever affected pages are accessed by legitimate users.

Attackers with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts that will execute in the context of any user who visits a page containing the maliciously injected content. This privileged access requirement does not diminish the severity of the flaw, as it allows attackers to potentially escalate their privileges further or perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing website content. The stored nature of this XSS vulnerability means that once injected, the malicious code persists until manually removed by administrators.

The operational impact of this vulnerability extends beyond simple script execution to encompass potential data breaches and service disruption. Attackers could leverage this flaw to establish persistent backdoors, harvest user credentials through session hijacking, or manipulate website functionality in ways that compromise the integrity of the entire WordPress installation. This weakness particularly affects hospitality websites that rely on booking systems, as it creates opportunities for attackers to intercept reservation data or redirect users to phishing pages.

Mitigation strategies should focus on immediate patching of the affected plugin version and implementation of proper input validation throughout the shortcode processing pipeline. The fix must incorporate comprehensive sanitization of all user-supplied attributes before they are stored or processed, followed by appropriate output escaping when rendering HTML elements. Organizations should also implement additional security controls such as web application firewalls, regular security audits, and monitoring for suspicious shortcode usage patterns to detect potential exploitation attempts.

This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in input sanitization and output escaping mechanisms. The attack vector demonstrates characteristics consistent with ATT&CK technique T1566.001 related to credential access through phishing and social engineering, as well as T1213.002 for data from information repositories where stored XSS can be used to extract sensitive user information. The security implications underscore the importance of maintaining up-to-date plugins and implementing robust input validation practices across all web applications to prevent similar vulnerabilities from compromising system integrity.

Responsible

Wordfence

Reservation

03/10/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!