Motopress Hotel Booking Lite Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Motopress Hotel Booking Lite version 4.2.4. This vulnerability allows authenticated attackers to inject malicious scripts into accommodation type fields. The injected scripts are executed in the browser when visitors access the accommodations page. The vulnerability arises from improper neutralization of input during web page generation, specifically through the title and excerpt parameters when creating accommodation types.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the accommodations page.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the 'Add Accommodation Type' section. After entering a title and excerpt that includes script tags, the user can publish the accommodation type. Once published, the injected script will execute when the accommodations page is accessed.