cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forhostel hostel

Direction: ascending
Jun 07, 2024

Hostel # CVE-2024-4314

CVE, Research URL

CVE-2024-4314

Application

Hostel

Date
May 14, 2024
Research Description
The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. This is due to missing or incorrect nonce validation when managing rooms. This makes it possible for unauthenticated attackers to create and delete rooms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.1.5.4.
Status
vulnerable

Hostel # CVE-2019-12345

CVE, Research URL

CVE-2019-12345

Application

Hostel

Date
May 28, 2019
Research Description
XSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress.
Affected versions
max 1.1.4.
Status
vulnerable

Hostel # CVE-2023-0545

CVE, Research URL

CVE-2023-0545

Application

Hostel

Date
Jun 05, 2023
Research Description
The Hostel WordPress plugin before 1.1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions
max 1.1.5.2.
Status
vulnerable
Jun 10, 2024

Hostel # CVE-2023-32120

CVE, Research URL

CVE-2023-32120

Application

Hostel

Date
Dec 24, 2025
Research Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1.
Affected versions
max 1.1.5.2.
Status
vulnerable
Jul 15, 2024

Hostel # CVE-2024-3753

CVE, Research URL

CVE-2024-3753

Application

Hostel

Date
Jul 13, 2024
Research Description
The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions
max 1.1.5.3.
Status
vulnerable
Apr 02, 2025

Hostel # CVE-2025-31102

CVE, Research URL

CVE-2025-31102

Application

Hostel

Date
Mar 28, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.5.
Affected versions
max 1.1.5.6.
Status
vulnerable

Hostel # CVE-2025-30848

CVE, Research URL

CVE-2025-30848

Application

Hostel

Date
Apr 01, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.
Affected versions
max 1.1.5.5.
Status
vulnerable
Apr 18, 2025

Hostel # CVE-2025-39566

CVE, Research URL

CVE-2025-39566

Application

Hostel

Date
Apr 16, 2025
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Hostel hostel allows Blind SQL Injection.This issue affects Hostel: from n/a through <= 1.1.5.6.
Affected versions
max 1.1.5.7.
Status
vulnerable
Jan 10, 2026

Hostel # CVE-2025-66119

CVE, Research URL

CVE-2025-66119

Application

Hostel

Date
Dec 18, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9.
Affected versions
max 1.1.6.
Status
vulnerable
Apr 20, 2026

Hostel # CVE-2026-1838

CVE, Research URL

CVE-2026-1838

Application

Hostel

Date
Apr 18, 2026
Research Description
The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 1.1.7.
Status
vulnerable
Apr 26, 2026

Hostel # CVE-2025-6236

CVE, Research URL

CVE-2025-6236

Application

Hostel

Date
Jul 10, 2025
Research Description
The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions
max 1.1.5.9.
Status
vulnerable

Hostel # CVE-2025-6234

CVE, Research URL

CVE-2025-6234

Application

Hostel

Date
Jul 10, 2025
Research Description
The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Affected versions
max 1.1.5.8.
Status
vulnerable
Jun 16, 2026

Hostel # f3e3ee5290feb52bf74b73e0f3cb0a81d043203b

Application

Hostel

Date
May 27, 2019
Research Description
Hostel [hostel] < 1.1.4 WordPress Hostel plugin <= 1.1.3 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability found by Admavidhya N in WordPress Hostel plugin (versions <= 1.1.3).
Affected versions
max 1.1.4.
Status
vulnerable
Jul 11, 2026

Hostel # CVE-2026-3907

CVE, Research URL

CVE-2026-3907

Application

Hostel

Date
Jul 10, 2026
Research Description
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.1.8.
Status
vulnerable