Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Reflected XSS.This issue affects Goodlayers Hostel: from n/a through <= 3.1.2.
Published: 2025-05-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GoodLayers Goodlayers Hostel WordPress plugin includes a flaw that fails to neutralize user‑supplied input before rendering it in a web page. This improper input handling enables a reflected XSS vulnerability that can inject and execute arbitrary JavaScript code when a user views a crafted page or submits a malicious value. The impact is primarily confidentiality, integrity and availability of user sessions and data exposed through the application or browser. No direct disk or code execution on the server is described, but a compromised browser could session‑steal or perform further attacks.

Affected Systems

WordPress sites that have the GoodLayers Goodlayers Hostel plugin installed at version 3.1.2 or earlier. The vendor, GoodLayers, publishes this plugin for the Goodlayers Hostel product line. Any affected site that has not updated beyond 3.1.2 is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level for this XSS. EPSS of <1% suggests that active exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers likely need only lure a victim to a crafted URL or form input; typical exploitation requires no authentication or special permissions. Because the vulnerability is reflected, a remote attacker can exploit it by serving a malicious link or by forging a vulnerable request. The low EPSS value reflects narrow exploitation opportunities, but the impact and score still warrant promptly addressing the issue.

Generated by OpenCVE AI on April 30, 2026 at 19:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GoodLayers Goodlayers Hostel plugin to the latest released version (3.1.3 or later) instead of using the vulnerable 3.1.2 or earlier releases.
  • If an immediate update is not possible, configure the WordPress instance to apply strict output encoding or use a security plugin that sanitizes plugin output, thereby preventing the execution of injected scripts.
  • Ensure that any user‑supplied fields processed by the Goodlayers Hostel plugin are validated and escaped according to OWASP WAF guidelines, and restrict the use of the plugin to trusted administrators to reduce the attack surface.

Generated by OpenCVE AI on April 30, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27966 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel allows Reflected XSS. This issue affects Goodlayers Hostel: from n/a through 3.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel allows Reflected XSS. This issue affects Goodlayers Hostel: from n/a through 3.1.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Reflected XSS.This issue affects Goodlayers Hostel: from n/a through <= 3.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Goodlayers Hostel allows Reflected XSS. This issue affects Goodlayers Hostel: from n/a through 3.1.2.
Title WordPress Goodlayers Hostel Plugin <= 3.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.989Z

Reserved: 2025-04-16T06:24:15.129Z

Link: CVE-2025-39502

cve-icon Vulnrichment

Updated: 2025-05-23T13:40:47.096Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:31.800

Modified: 2026-04-23T15:29:41.063

Link: CVE-2025-39502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses