CVE-2025-31102

CVE-2025-31102 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Hostel WordPress plugin developed by Bob Hostel. The flaw impacts all versions of the plugin up to and including 1.1.5.5, allowing malicious input to be reflected back in web pages without proper sanitization. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and changed scope.

Unauthenticated attackers (PR:N) can exploit this vulnerability remotely over the network by crafting malicious links or payloads that require user interaction, such as tricking a site administrator or authenticated user into visiting a specially crafted URL on the vulnerable Hostel plugin site. Successful exploitation enables script injection in the victim's browser context, potentially leading to low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), including theft of session cookies, keystroke logging, or phishing within the site's scope, amplified by the changed scope (S:C) to affect client-side data.

Patchstack advisories document this issue and provide details on the vulnerability in the WordPress Hostel plugin version 1.1.5.5; practitioners should consult https://patchstack.com/database/Wordpress/Plugin/hostel/vulnerability/wordpress-hostel-plugin-1-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation guidance, such as updating to a patched version if available or implementing input validation and content security policies.