PatchSiren cyber security CVE debrief
CVE-2026-3907 prasunsen CVE debrief
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping.
- Vendor
- prasunsen
- Product
- Hostel
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Authenticated attackers with Contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress users and administrators should review and update the Hostel plugin to prevent exploitation.
Technical summary
The Hostel plugin for WordPress has a Stored Cross-Site Scripting vulnerability via the 'wphostel-book' shortcode. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. An authenticated attacker with Contributor-level access can inject malicious scripts, which will be executed when a user accesses the injected page. The vulnerability is caused by the second shortcode attribute being passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This vulnerability can be exploited by authenticated attackers with Contributor-level access and above.
Defensive priority
Medium priority due to the CVSS score of 6.4 and the potential for authenticated attackers to inject arbitrary web scripts.
Recommended defensive actions
- Update the Hostel plugin to a version that includes a fix for this vulnerability.
- Restrict access to the WordPress dashboard to trusted users only.
- Implement a Web Application Firewall (WAF) to detect and prevent common web attacks.
- Regularly monitor WordPress sites for suspicious activity and update plugins promptly.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-10T09:16:53.677Z and was last modified on 2026-07-10T15:43:30.330Z. The vulnerability was reported by [email protected]. Evidence is limited to CVE and NVD details. Defenders should verify the Hostel plugin version and review code for 'wphostel-book' shortcode usage.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T09:16:53.677Z and has not been modified since then.