Plateforme
wordpress
Composant
motopress-hotel-booking-lite
Corrigé dans
5.2.4
CVE-2025-66078 identifies a Remote Code Execution (RCE) vulnerability within the Hotel Booking Lite WordPress plugin, a popular tool for managing hotel reservations. This flaw, stemming from improper code generation control (Code Injection), allows attackers to include malicious code on vulnerable systems. Versions of Hotel Booking Lite from 0.0.0 through 5.2.3 are affected, and a patch is available in version 5.2.4.
The impact of this RCE vulnerability is severe. An attacker can leverage this Code Injection flaw to execute arbitrary code on the web server hosting the Hotel Booking Lite plugin. This could lead to complete compromise of the WordPress site, including data exfiltration, malware installation, and defacement. Given the plugin's function, sensitive guest data such as names, contact information, and payment details could be at risk. Successful exploitation could also allow for lateral movement within the network if the web server has access to other systems. The blast radius extends to all users of the affected plugin, particularly those with limited security configurations.
CVE-2025-66078 was publicly disclosed on December 18, 2025. The vulnerability's nature – a Code Injection leading to RCE – aligns with common attack patterns. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the CRITICAL CVSS score and the ease of exploitation suggest a high probability of exploitation. It is advisable to monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Websites utilizing the Hotel Booking Lite plugin, particularly those running older, unpatched versions (0.0.0–5.2.3), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Sites with weak WordPress security practices, such as default user credentials or outdated core versions, are also at increased risk.
• wordpress / composer / npm:
grep -r "jetmonsters/hotel-booking-lite" /var/www/html• wordpress / composer / npm:
wp plugin list | grep "Hotel Booking Lite"• wordpress / composer / npm:
wp plugin update --all• generic web: Check WordPress plugin directory for updated version. • generic web: Review web server access logs for suspicious file inclusion attempts (e.g., attempts to include files from unexpected locations).
disclosure
Statut de l'Exploit
EPSS
0.07% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Review WordPress security best practices, including limiting user privileges and keeping WordPress core and other plugins updated. Monitor web server access logs for suspicious activity related to file inclusion attempts.
Update to version 5.2.4, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66078 is a CRITICAL Remote Code Execution vulnerability in the Hotel Booking Lite WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Hotel Booking Lite versions 0.0.0 through 5.2.3. Upgrade to 5.2.4 or later to resolve the issue.
Upgrade the Hotel Booking Lite plugin to version 5.2.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no confirmed exploitation has been publicly reported, the CRITICAL severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official Hotel Booking Lite website and WordPress plugin repository for the latest security advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.