CVE-2022-50948 PUBLISHED

Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting

Assigner: VulnCheck
Reserved: 11.01.2026 Published: 10.05.2026 Updated: 10.05.2026

Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Product Status

Vendor Motopress
Product Motopress Hotel Booking Lite
Versions
  • Version 4.2.4 is affected

Credits

  • Sanjay Singh finder

References

Problem Types

  • Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE