CVE-2025-6236

Name of the Vulnerable Software and Affected Versions: Hostel WordPress plugin versions prior to 1.1.5.9

Description: The Hostel WordPress plugin does not properly sanitize and escape certain settings. This could allow users with high privileges, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks, even when the unfiltered html capability is disabled, for example, in a multi-site setup. Stored XSS attacks involve injecting malicious scripts into a website that are then stored and executed when other users visit the affected page.

Recommendations: Update the Hostel WordPress plugin to version 1.1.5.9 or later.