PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3907 prasunsen CVE debrief

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping.

Vendor
prasunsen
Product
Hostel
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Authenticated attackers with Contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress users and administrators should review and update the Hostel plugin to prevent exploitation.

Technical summary

The Hostel plugin for WordPress has a Stored Cross-Site Scripting vulnerability via the 'wphostel-book' shortcode. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. An authenticated attacker with Contributor-level access can inject malicious scripts, which will be executed when a user accesses the injected page. The vulnerability is caused by the second shortcode attribute being passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This vulnerability can be exploited by authenticated attackers with Contributor-level access and above.

Defensive priority

Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject arbitrary web scripts.

Recommended defensive actions

  • Update the Hostel plugin to a version that includes a fix for this vulnerability.
  • Restrict access to the WordPress dashboard to trusted users only.
  • Implement a Web Application Firewall (WAF) to detect and prevent common web attacks.
  • Regularly monitor WordPress sites for suspicious activity and update plugins promptly.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-10T09:16:53.677Z and was last modified on 2026-07-10T15:43:30.330Z. The vulnerability was reported by [email protected]. Evidence is limited to CVE and NVD details. Defenders should verify the Hostel plugin version and review code for 'wphostel-book' shortcode usage.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:53.677Z and has not been modified since then.