cleantalk
Vulnerabilities and Security Researches

Hostel, CVE-2023-32120

CVE, Research URL

CVE-2023-32120

Home page URL

Security reports for Hostel

Application

Hostel

Published on
-
Research Description
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Room Title of the Manage Bookings feature in versions up to, and including, 1.1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 1.1.5.1.
Status
vulnerable
Previous vulnerability researches
Hostel (CVE-2025-39566) , Apr 18, 2025
Hostel (CVE-2025-31102) , Apr 02, 2025
Hostel (CVE-2025-30848) , Apr 02, 2025
Hostel (CVE-2023-32120) , Jun 10, 2024
Hostel (CVE-2024-3753) , Jul 15, 2024
New vulnerability
GitHub Gist Shortcode Plugin (CVE-2025-12667) , Dec 12, 2025
Cryptocurrency Payment Gateway for WooCommerce (CVE-2025-12392) , Dec 12, 2025
Wbcom Designs – Private Community for BuddyPress (CVE-2025-67582) , Dec 12, 2025
WP-Walla (CVE-2025-12589) , Dec 12, 2025
Master Addons for Elementor (CVE-2025-63055) , Dec 12, 2025