Description
Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Motopress Hotel Booking Lite version 4.2.4 includes a stored cross-site scripting flaw that permits authenticated administrators to embed malicious script payloads through the title and excerpt fields of accommodation types. When these data are displayed on the public accommodations page, the script runs in the visitor's browser.

Affected Systems

The vulnerability affects the Motopress Hotel Booking Lite plugin (WordPress) with an installable version of 4.2.4. Only installations corresponding to this version and its components are impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity, and the EPSS score is currently not available, suggesting limited publicly known exploitation attempts. The flaw requires authentication to the WordPress administrative interface, so the likelihood of exploitation is contingent on the presence of vulnerable credentials. The vulnerability is not listed in the CISA KEV catalog, so there is no evidence of large‑scale exploitation at present. A likely attack vector involves an attacker with valid admin credentials submitting crafted title or excerpt content via the plugin’s admin UI, which is then stored and rendered to public users.

Generated by OpenCVE AI on May 10, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Motopress Hotel Booking Lite release that includes the XSS fix.
  • Remove or sanitize any existing accommodation types that contain potentially malicious script content.
  • Enable a Content Security Policy (CSP) header that restricts script execution to trusted sources to mitigate the risk if an attacker manages to inject residual code.

Generated by OpenCVE AI on May 10, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page.
Title Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting
First Time appeared Motopress
Motopress hotel Booking Lite
Weaknesses CWE-79
CPEs cpe:2.3:a:motopress:hotel_booking_lite:4.2.4:*:*:*:*:wordpress:*:*
Vendors & Products Motopress
Motopress hotel Booking Lite
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Motopress Hotel Booking Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:48.402Z

Reserved: 2026-01-11T13:34:26.331Z

Link: CVE-2022-50948

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:32.657

Modified: 2026-05-10T13:16:32.657

Link: CVE-2022-50948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:00:13Z

Weaknesses