Vulnerabilities and security researches forhostel hostel

Jun 07, 2024

CVE, Research URL: CVE-2024-4314
Home page URL: Security reports for Hostel
Application: Hostel
Date: May 14, 2024
Research Description: The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. This is due to missing or incorrect nonce validation when managing rooms. This makes it possible for unauthenticated attackers to create and delete rooms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 1.1.5.4.
Status: vulnerable

CVE, Research URL: CVE-2019-12345
Home page URL: Security reports for Hostel
Application: Hostel
Date: May 28, 2019
Research Description: XSS exists in the Kiboko Hostel plugin before 1.1.4 for WordPress.
Affected versions: max 1.1.4.
Status: vulnerable

CVE, Research URL: CVE-2023-0545
Home page URL: Security reports for Hostel
Application: Hostel
Date: Jun 05, 2023
Research Description: The Hostel WordPress plugin before 1.1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected versions: max 1.1.5.2.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-32120
Home page URL: Security reports for Hostel
Application: Hostel
Date: Dec 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1.
Affected versions: max 1.1.5.2.
Status: vulnerable

Jul 15, 2024

CVE, Research URL: CVE-2024-3753
Home page URL: Security reports for Hostel
Application: Hostel
Date: Jul 13, 2024
Research Description: The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: max 1.1.5.3.
Status: vulnerable

Apr 02, 2025

CVE, Research URL: CVE-2025-31102
Home page URL: Security reports for Hostel
Application: Hostel
Date: Mar 28, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel allows Reflected XSS. This issue affects Hostel: from n/a through 1.1.5.5.
Affected versions: max 1.1.5.6.
Status: vulnerable

CVE, Research URL: CVE-2025-30848
Home page URL: Security reports for Hostel
Application: Hostel
Date: Apr 01, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel allows Reflected XSS. This issue affects Hostel: from n/a through 1.1.5.
Affected versions: max 1.1.5.5.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-39566
Home page URL: Security reports for Hostel
Application: Hostel
Date: Apr 16, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Hostel allows Blind SQL Injection. This issue affects Hostel: from n/a through 1.1.5.6.
Affected versions: max 1.1.5.7.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-66119
Home page URL: Security reports for Hostel
Application: Hostel
Date: Dec 18, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9.
Affected versions: max 1.1.5.9.
Status: vulnerable

Apr 20, 2026

CVE, Research URL: CVE-2026-1838
Home page URL: Security reports for Hostel
Application: Hostel
Date: Apr 18, 2026
Research Description: The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 1.1.7.
Status: vulnerable