Platform
wordpress
Component
motopress-hotel-booking-lite
Fixed in
5.2.4
CVE-2025-66078 identifies a Remote Code Execution (RCE) vulnerability within the Hotel Booking Lite WordPress plugin, a popular tool for managing hotel reservations. This flaw, stemming from improper code generation control (Code Injection), allows attackers to include malicious code on vulnerable systems. Versions of Hotel Booking Lite from 0.0.0 through 5.2.3 are affected, and a patch is available in version 5.2.4.
The impact of this RCE vulnerability is severe. An attacker can leverage this Code Injection flaw to execute arbitrary code on the web server hosting the Hotel Booking Lite plugin. This could lead to complete compromise of the WordPress site, including data exfiltration, malware installation, and defacement. Given the plugin's function, sensitive guest data such as names, contact information, and payment details could be at risk. Successful exploitation could also allow for lateral movement within the network if the web server has access to other systems. The blast radius extends to all users of the affected plugin, particularly those with limited security configurations.
CVE-2025-66078 was publicly disclosed on December 18, 2025. The vulnerability's nature – a Code Injection leading to RCE – aligns with common attack patterns. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the CRITICAL CVSS score and the ease of exploitation suggest a high probability of exploitation. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Review WordPress security best practices, including limiting user privileges and keeping WordPress core and other plugins updated. Monitor web server access logs for suspicious activity related to file inclusion attempts.
Update to version 5.2.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66078 is a CRITICAL Remote Code Execution vulnerability in the Hotel Booking Lite WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Hotel Booking Lite versions 0.0.0 through 5.2.3. Upgrade to 5.2.4 or later to resolve the issue.
Upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no confirmed exploitation has been publicly reported, the CRITICAL severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official Hotel Booking Lite website and WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.