CVE-2025-66078
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on WordPress sites running the Hotel Booking Lite plugin. Attackers can inject malicious code through the plugin's functionality, potentially taking full control of affected websites. All WordPress installations using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Hotel Booking Lite plugin (motopress-hotel-booking-lite)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, defacement, malware distribution, and lateral movement to other systems.
Likely Case
Website takeover, data exfiltration, and installation of backdoors or cryptocurrency miners.
If Mitigated
Limited impact if web application firewall blocks malicious payloads and file upload restrictions are in place.
🎯 Exploit Status
Remote code execution via code injection in plugin functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Hotel Booking Lite' and click 'Update Now'. 4. Verify update to version 5.2.4 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Hotel Booking Lite plugin until patched.
wp plugin deactivate motopress-hotel-booking-lite
Web Application Firewall rule
allBlock requests containing suspicious patterns targeting the plugin.
🧯 If You Can't Patch
- Remove the Hotel Booking Lite plugin completely
- Restrict access to the WordPress admin interface using IP whitelisting
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Hotel Booking Lite version ≤5.2.3Check Version:
wp plugin get motopress-hotel-booking-lite --field=versionVerify Fix Applied:
Confirm plugin version is 5.2.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-content/plugins/motopress-hotel-booking-lite/
- PHP file creation in unexpected directories
- Webshell-like activity in access logs
Network Indicators:
- HTTP requests with suspicious payloads targeting the plugin endpoints
- Outbound connections to unknown IPs from web server
SIEM Query:
source="web_access.log" AND (uri="/wp-content/plugins/motopress-hotel-booking-lite/*" AND (method="POST" OR status="200"))