The vulnerability is an improper neutralization of input during web page generation that allows an attacker to inject arbitrary script into pages served by the plugin. When untrusted data is echoed back in a response, a malicious user can run arbitrary JavaScript in the context of the victim’s browser, enabling cookie theft, session hijacking, or phishing spoofing. The weakness is identified as CWE‑79, a classic reflected XSS flaw.

The bug affects WordPress sites that have the Bob Hostel "Hostel" plugin installed, in versions from the earliest available release through and including version 1.1.5. Site administrators using any of those releases are therefore vulnerable until the plugin is updated beyond this version.

With a CVSS score of 7.1, the exploitation model is moderate severity. The EPSS score of less than 1% indicates a very low current probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, because reflected XSS can be triggered via a crafted URL or user input that the victim may be tricked into visiting, the attack vector is remote web-based. Successful exploitation would occur when an attacker crafts a request that the plugin processes and a victim, potentially an administrator or regular user, loads the affected page and executes the injected script.