CVE-2022-50948

MEDIUM

Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50948. PoCs published by Sanjay Singh.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in WordPress Plugin Motopress Hotel Booking Lite 4.2.4. The attacker injects malicious JavaScript payloads into the title and excerpt fields of an accommodation type, which execute when the page is visited.

Description

Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page.

Exploits (1)

exploitdb WORKING POC

by Sanjay Singh · textwebappsphp

https://www.exploit-db.com/exploits/50951

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in WordPress Plugin Motopress Hotel Booking Lite 4.2.4. The attacker injects malicious JavaScript payloads into the title and excerpt fields of an accommodation type, which execute when the page is visited.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin Motopress Hotel Booking Lite 4.2.4

Auth required

Prerequisites: WordPress admin access · Motopress Hotel Booking Lite plugin installed and activated

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Product product

Official Product Homepage

https://motopress.com/

Exploit exploit

ExploitDB-50951

https://www.exploit-db.com/exploits/50951

Third Party Advisory third-party-advisory

VulnCheck Advisory: Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting

https://www.vulncheck.com/advisories/motopress-hotel-booking-lite-stored-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0019

EPSS Percentile 8.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

Motopress/Motopress Hotel Booking Lite 4.2.4

Published May 10, 2026

Tracked Since May 10, 2026