Plattform
wordpress
Komponente
motopress-hotel-booking-lite
Behoben in
5.2.4
CVE-2025-66078 identifies a Remote Code Execution (RCE) vulnerability within the Hotel Booking Lite WordPress plugin, a popular tool for managing hotel reservations. This flaw, stemming from improper code generation control (Code Injection), allows attackers to include malicious code on vulnerable systems. Versions of Hotel Booking Lite from 0.0.0 through 5.2.3 are affected, and a patch is available in version 5.2.4.
The impact of this RCE vulnerability is severe. An attacker can leverage this Code Injection flaw to execute arbitrary code on the web server hosting the Hotel Booking Lite plugin. This could lead to complete compromise of the WordPress site, including data exfiltration, malware installation, and defacement. Given the plugin's function, sensitive guest data such as names, contact information, and payment details could be at risk. Successful exploitation could also allow for lateral movement within the network if the web server has access to other systems. The blast radius extends to all users of the affected plugin, particularly those with limited security configurations.
CVE-2025-66078 was publicly disclosed on December 18, 2025. The vulnerability's nature – a Code Injection leading to RCE – aligns with common attack patterns. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the CRITICAL CVSS score and the ease of exploitation suggest a high probability of exploitation. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Websites utilizing the Hotel Booking Lite plugin, particularly those running older, unpatched versions (0.0.0–5.2.3), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Sites with weak WordPress security practices, such as default user credentials or outdated core versions, are also at increased risk.
• wordpress / composer / npm:
grep -r "jetmonsters/hotel-booking-lite" /var/www/html• wordpress / composer / npm:
wp plugin list | grep "Hotel Booking Lite"• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated version. • generic web: Review web server access logs for suspicious file inclusion attempts (e.g., attempts to include files from unexpected locations).
disclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Review WordPress security best practices, including limiting user privileges and keeping WordPress core and other plugins updated. Monitor web server access logs for suspicious activity related to file inclusion attempts.
Update to version 5.2.4, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66078 is a CRITICAL Remote Code Execution vulnerability in the Hotel Booking Lite WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Hotel Booking Lite versions 0.0.0 through 5.2.3. Upgrade to 5.2.4 or later to resolve the issue.
Upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no confirmed exploitation has been publicly reported, the CRITICAL severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official Hotel Booking Lite website and WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.