Remote Code Inclusion Vulnerability in Hotel Booking Lite by MotoPress
CVE-2025-66078

9.1CRITICAL

Key Information:

Vendor

WordPress

Vendor
CVE Published:
18 December 2025

What is CVE-2025-66078?

A vulnerability in the MotoPress Hotel Booking Lite plugin allows attackers to execute unauthorized code through remote code inclusion. Versions from n/a up to 5.2.3 are susceptible to this issue. If exploited, this security flaw can lead to the execution of arbitrary code on the affected systems, posing significant risks to user data and system integrity.

Affected Version(s)

Hotel Booking Lite 0 <= 5.2.3

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

benzdeus | Patchstack Bug Bounty Program
.