WordPress Plugin Vulnerabilities

Hotel Booking < 2.2.9 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The Hotel Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
wp-hotel-booking
Fixed in 2.2.9

References

CVE
CVE-2025-63011
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f57cac64-c8c7-45c9-8079-2a727ee30872

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
80000a20-da37-4de5-ad0d-efb90cb04d8e

Timeline

Publicly Published
2025-11-05 (about 6 months ago)
Added
2025-12-10 (about 5 months ago)
Last Updated
2026-02-26 (about 2 months ago)

Other

Published
Title
Published
2023-11-20
Title
EmbedPress < 3.9.2 - Reflected XSS
Published
2020-06-17
Title
Testimonial Rotator < 3.0.3 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2021-06-07
Title
WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2025-11-17
Title
CSV to SortTable <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-09
Title
WPFront Notification Bar < 2.1.0.08087 - Authenticated Stored XSS