PatchSiren cyber security CVE debrief
CVE-2022-50948 Motopress CVE debrief
CVE-2022-50948 is a stored cross-site scripting issue reported for Motopress Hotel Booking Lite 4.2.4. According to the source corpus, an authenticated attacker can place malicious content into accommodation type title and excerpt fields, and the injected script runs when visitors load the accommodations page. The CVE and NVD entries classify it as medium severity, and no KEV listing was provided.
- Vendor
- Motopress
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
WordPress site owners, administrators, and security teams running Motopress Hotel Booking Lite 4.2.4 should care, especially where authenticated users can create or edit accommodation types and where those pages are publicly accessible.
Technical summary
The source corpus describes a stored XSS (CWE-79) in Motopress Hotel Booking Lite 4.2.4. The vulnerable data flow is tied to accommodation type fields, specifically the title and excerpt parameters used when creating accommodation types. Because the injected content is stored and later rendered on the accommodations page, a visitor’s browser can execute attacker-supplied script content. The supplied NVD metadata lists the issue as network-reachable, low-complexity, requiring low privileges and user interaction.
Defensive priority
Medium
Recommended defensive actions
- Check for a patched vendor release and update Motopress Hotel Booking Lite as soon as one is available; if no fix is available, disable or remove the plugin from exposed sites.
- Restrict who can create or edit accommodation types so only trusted administrators can submit content to the affected fields.
- Review existing accommodation type entries for unexpected HTML or script-like content and remove anything suspicious.
- Apply server-side output encoding and input sanitization for all content rendered into accommodation pages.
- Monitor public accommodations pages for unexpected script execution or unusual DOM changes, and consider a security plugin or WAF rule set to help block XSS payloads.
Evidence notes
The debrief is based only on the supplied CVE record, NVD metadata, and the referenced VulnCheck advisory references. The corpus identifies Motopress Hotel Booking Lite 4.2.4 and describes a stored XSS affecting accommodation type title and excerpt parameters, with scripts executing in visitors’ browsers on the accommodations page. Vendor attribution in the supplied metadata is marked low confidence and needs review. Timeline fields supplied with the CVE place publication and modification on 2026-05-10; no KEV data was provided.
Official resources
Public disclosure timing in the supplied timeline is 2026-05-10T13:16:32.657Z for both publication and modification. The source corpus does not provide a KEV entry or ransomware linkage.