CVE-2024-9458

MEDIUM

Reservit Hotel WordPress Plugin < 3.0 - Authenticated Stored Cross-Site Scripting in Settings

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-9458. PoCs published by Ilteris Kaan Pehlivan.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in the Reservit Hotel WordPress plugin. The exploit leverages unsanitized settings to inject malicious JavaScript, which executes when an admin accesses the content dashboard.

Description

The Reservit Hotel WordPress plugin before 3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Exploits (1)

exploitdb WRITEUP
by Ilteris Kaan Pehlivan · textwebappsphp
https://www.exploit-db.com/exploits/52133

This is a writeup describing a stored XSS vulnerability in the Reservit Hotel WordPress plugin. The exploit leverages unsanitized settings to inject malicious JavaScript, which executes when an admin accesses the content dashboard.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Reservit Hotel < 3.0
Auth required
Prerequisites: Admin access to the WordPress dashboard · Reservit Hotel plugin installed and activated
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/

Scores

CVSS v3 4.8
EPSS 0.0166
EPSS Percentile 82.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
reservit/reservit_hotel 2.1
Published Mar 07, 2025
Tracked Since Feb 18, 2026