CVE-2022-50948

Vulnerability

Overview

CVE-2022-50948 is a stored cross-site scripting (XSS) vulnerability in the Motopress Hotel Booking Lite version of the Hotel Booking plugin for WordPress, up to and including version 4.2.4. The root cause is improper neutralization of user-supplied input in the accommodation type fields during the creation of new accommodation types. Specifically, the title and excerpt parameters are not sanitized, allowing an authenticated attacker with access to inject arbitrary script tags [1][2].

Exploitation

Prerequisites and Attack Vector

To exploit this vulnerability, an attacker must first have valid credentials to the WordPress administration panel with at least the capability to create or edit accommodation types (e.g., an editor role or similar). The attacker crafts a payload (e.g., "><script>alert("XSS")</script>) and submits it in the title and/or excerpt fields. When a visitor or any user navigates to the accommodations page, the stored payload is rendered by the browser, executing the injected script [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any browser that views the compromised accommodations page. This can be used to steal session cookies, redirect users to malicious sites, deface the page, or perform other actions within the context of the authenticated user's session. While the CVSS v3 score (6.4) indicates moderate severity, the impact is dependent on the sensitivity of the data and actions available to the authenticated session.

Mitigation

The vendor, MotoPress, has addressed this vulnerability in a vulnerability in a subsequent release; users are strongly advised to update to the latest version of the plugin. As noted in the advisory, the fix involves proper escaping of the title and excerpt fields [2]. No workarounds other than upgrading or temporarily disabling the accommodation type creation for untrusted users are recommended.