Stored Cross-Site Scripting Vulnerability in Hostel Plugin for WordPress
CVE-2026-3907
6.4MEDIUM
What is CVE-2026-3907?
The Hostel plugin for WordPress contains a stored cross-site scripting vulnerability found in all versions up to and including 1.1.7. The vulnerability arises from improper input sanitization and output escaping on user-supplied attributes within the 'wphostel-book' shortcode. Specifically, the second attribute used for button text is passed directly to the $text variable without adequate sanitization, leading to potential script injections. This flaw allows authenticated users with Contributor-level access or higher to inject malicious scripts into web pages. The injected scripts execute whenever a user visits an affected page, posing a significant security risk.
Affected Version(s)
Hostel 0 <= 1.1.7