CVE-2025-66119
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in WordPress Hostel plugin up to 1.1.5.9 allows attackers to inject malicious scripts via unneutralized input.
Vulnerability
The Hostel plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This affects all versions from n/a through 1.1.5.9 [1]. The vulnerability is classified as High severity with a CVSS v3 score of 7.1.
Exploitation
An attacker can exploit this by crafting a malicious link that, when clicked by a privileged user (e.g., an administrator), triggers the execution of arbitrary JavaScript in the context of the victim's browser. User interaction is required, but successful exploitation does not require authentication beyond the victim's session [1].
Impact
Successful exploitation allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site. This can lead to defacement, data theft, or further compromise of the WordPress installation [1].
Mitigation
The vulnerability has been patched in version 1.1.6 of the Hostel plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update is applied [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.